Microsoft rightly predicted that systems vulnerable to CVE-2020-0688, could be an attractive target for attackers and that this vulnerability could soon be included in upcoming attacks. Standing true to that, attackers have now started scanning the Internet for Microsoft Exchange Servers vulnerable to a Remote Code Execution flaw(CVE-2020-0688). This vulnerability received a patch during the Patch Tuesday of February 2020.
Key to Remote Code Execution: CVE-2020-0688
According to Microsoft, CVE-2020-0688 is a vulnerability in Microsoft Exchange Server due to the failure of the server to properly create unique keys during installation. An authenticated attacker with the knowledge of the validation key and access to a mailbox can pass arbitrary objects to be deserialized by a web application running with SYSTEM privileges.
Microsoft rated this vulnerability important in severity with the notion that an attacker needs authentication for successful exploitation. But in the scenario of an organization, many users possess access to accounts with basic USER privileges. Given that, exploiting further would be no herculean task. Attacks are also feasible in cases where the attacker has already obtained the credentials to the target systems through other means.
Deep Dive into Microsoft Exchange Server’s Code Execution Bug
CVE-2020-0688 was reported to Microsoft by an anonymous researcher working with Trend Micro’s Zero Day Initiative (ZDI). ZDI has published a detailed analysis of the vulnerability along with a demonstration video exploiting CVE-2020-0688.
The flaw resides in the Exchange Control Panel (ECP) component, a web-based management interface in Exchange Server. The primary reason for the existence of the bug is the use of static keys in the server. While randomly generated keys for every installation are expected for security, all installations of Microsoft Exchange Server were found to have the same
decryptionKey values in
web.config. These keys are meant to secure ViewState, which is the server-side data that ASP.NET web applications store in the serialized format on the client.
An authenticated attacker can launch insecure deserialization attacks by maliciously crafting ViewState data. An attacker can also plan to execute .NET code on the server with a ViewState payload generated using YSoSerial.net in the context of the Exchange Control Panel web application, which runs as SYSTEM.
In order to successfully launch an attack, an attacker should acquire the
ViewStateUserKey and the
__VIEWSTATEGENERATOR values from an authenticated session. Standard developer tools within the browser can be used to obtain these parameters.
ViewStateUserKey can be obtained from ASP.NET
Steps for exploitation
1) A simple user, logs in to his account on
2) The validation key is already known due to the presence of static keys:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
validationalg = SHA1
3) A request is sent to
The page source of the response contains
The value of
ASP.NET_SessionId cookie in
Request header is the
4) The values of
viewstateuserkey are now known. The next step will be to create the ViewState payload.
5) The ViewState payload is URL encoded and a URL is crafted with it.
6) The crafted URL is accessed using the browser. The browser response is
500 Unexpected Error, but the crafted data is executed in the background with SYSTEM privileges.
- Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 14 and 15
- Microsoft Exchange Server 2019 Cumulative Update 3 and 4
An authenticated attacker can execute malicious code on the server. Successful attacks can also involve disclosure and tampering of confidential emails in an organization.
Microsoft has released an update for mitigating this vulnerability as a part of the Patch Tuesday Updates of February 2020. We strongly recommend applying the security updates, if not already applied, from the vendor.