CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka ‘Microsoft Exchange Memory Corruption Vulnerability’.

Recent assessments:

zeroSteiner at February 26, 2020 5:02pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

hartescout at February 26, 2020 2:30am UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

J3rryBl4nks at March 02, 2020 10:11pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

theguly at February 28, 2020 4:45pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

xFreed0m at March 10, 2020 2:34pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

todb-r7 at April 09, 2020 2:08pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

ccondon-r7 at March 06, 2020 11:31pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

tsellers-r7 at March 05, 2020 10:29pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

gwillcox-r7 at October 20, 2020 6:47pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

jbarto at February 28, 2020 4:51pm UTC reported:

This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM on the server.

The root of the issue is that the validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.

The important values from the write up are:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1

I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users group and have a configured mailbox in Exchange.

The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4