CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug

2020-02-11T21:30:07
ID AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9
Type attackerkb
Reporter AttackerKB
Modified 2020-07-08T05:02:14

Description

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Recent assessments:

xFreed0m at 2020-03-10T14:34:20.666504Z reported: the easiness of exploiting this vulnerability depends directly on the ability to get a working set of creds. that means that if the organization has weak password policy, guessable passwords, leaked credentials or external interface that allows password spraying, obtaining such credentials will be easy for adversaries.

Assessed Attacker Value: 5 Assessed Exploitability: 4 ccondon-r7 at 2020-03-06T23:31:22.236669Z reported: There's a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that's needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129. TrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

tsellers-r7 at 2020-03-05T22:29:33.890612Z reported: Discovery Notes

You can determine the version of Microsoft Exchange that the Client Access Servers (CAS) are running prior to authentication. Visit the OWA login page ( https://owa.probablyunpatched.com/owa/auth/logon.aspx) and view the source.

``` @font-face { font-family: "Segoe UI WPC"; src: url("/owa/auth/15.0.1210/themes/resources/segoeui-regular.eot?#iefix") format("embedded-opentype"), url("/owa/auth/15.0.1210/themes/resources/segoeui-regular.ttf") format("truetype"); }

@font-face { font-family: "Segoe UI WPC Semilight"; src: url("/owa/auth/15.0.1210/themes/resources/segoeui-semilight.eot?#iefix") format("embedded-opentype"), url("/owa/auth/15.0.1210/themes/resources/segoeui-semilight.ttf") format("truetype"); }

@font-face { font-family: "Segoe UI WPC Semibold"; src: url("/owa/auth/15.0.1210/themes/resources/segoeui-semibold.eot?#iefix") format("embedded-opentype"), url("/owa/auth/15.0.1210/themes/resources/segoeui-semibold.ttf") format("truetype"); } ```

The versions there can be compared to the Exchange build lookup list provided by Microsoft https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

The following Exchange versions may be safe. Microsoft isn’t consistently updating the build number as part of the update installation process. Anything newer is probably patched.

|Exchange Release|Build Number| |---|---| |Microsoft Exchange Server 2019 Cumulative Update 4 + hotfix |15.2.529.xxx| |Microsoft Exchange Server 2019 Cumulative Update 3 + hotfix |15.2.464.xxx| |Microsoft Exchange Server 2016 Cumulative Update 16 + hotfix |15.1.1979.xxx| |Microsoft Exchange Server 2016 Cumulative Update 15 + hotfix |15.1.1913.xxx| |Microsoft Exchange Server 2016 Cumulative Update 14 + hotfix |15.1.1847.xxx| |Microsoft Exchange Server 2013 Cumulative Update 23 + hotfix |15.0.1497.xxx| |Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 |14.3.496.xxx|

Any version matching those listed below or that are older than those listed below are definately vulnerable.

|Exchange Release|Build Number| |---|---| |Microsoft Exchange Server 2019 Cumulative Update 2|15.2.397.3| |Microsoft Exchange Server 2016 Cumulative Update 14|15.1.1779.2| |Microsoft Exchange Server 2013 Cumulative Update 22|15.0.1473.3| |Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 29|14.3.487.0|

J3rryBl4nks at 2020-03-02T22:11:35.246085Z reported: Due to widespread credential stuffing and password spraying attacks, the fact that this is a deserialization RCE due to hard coded encryption keys, the exploit is universally portable.

There are also POC scripts that just require you to get valid credentials.

Assessed Attacker Value: 5 Assessed Exploitability: 4 jbarto at 2020-02-28T16:51:39.461029Z reported: Exchange Servers exposed to the outside (OWA) will need to patch this as soon as possible. Internal Exchange is not a high priority. The requirement of knowing the validation key is required to exploit. There is discussion that a specially crafted email may trigger this vulnerability with the way Exchange handles memory objects which can lead to remote code execution.
Several POC are available although the skill level to exploit is higher with the need to write custom code.
Recommended to patch if Exchange is exposed outside of the environment. This was patched in the Feb 2020 patch release from Microsoft.
High/Critical depending on controls to expose Exchange to the internet. Low/Moderate for internal Exchange depending on the environment.

Assessed Attacker Value: 5 Assessed Exploitability: 3 theguly at 2020-02-28T16:45:22.39561Z reported: just to add the exploit and proper tag https://github.com/Ridter/cve-2020-0688

Assessed Attacker Value: 5 Assessed Exploitability: 5 zeroSteiner at 2020-02-26T17:02:20.412624Z reported: This is a serialization bug in the Exchange Control Panel component of Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are: validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

Thew ViewState must be transfered within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

Assessed Attacker Value: 4 Assessed Exploitability: 4 hartescout at 2020-02-26T02:30:27.611496Z reported: This one is fairly new. I will put a few quotes in here as they display my ideas of why this should be considered high priority and have better writing skills than I do, unfortunately. I was initially alerted (again) to this CVE with the Thread linked here : https://twitter.com/GossiTheDog/status/1232368620270911488 I agree, enterprise environments with Internet facing Exchange. As stated in the thread, you can see a simple search with shodan.io will expose this vulnerability. There are thousands that qualify.

Here is another, more formal and thorough analysis I think you will find helpful: https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys

Here is a video of bug in action. https://youtu.be/7d_HoQ0LVy8

This is a RCE vulnerability that effects Microsoft Exchange Server. Now a patch was released, but Microsoft has not classified this as critical, so we will see how effective it is.

"Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter. "

I welcome any discussion, please tell me if I missing something. I would love to hear more about this and if any Blue Team has had an incident already. Take care!

Assessed Attacker Value: 5 Assessed Exploitability: 4