Attackers hunting for vulnerable Exchange Servers

  • Post author:
  • Reading time:5 mins read

 Microsoft exchange vulnerability 2020


Microsoft rightly predicted that systems vulnerable to CVE-2020-0688 could be an attractive target. For attackers, this vulnerability could soon be include in upcoming attacks. Standing true to that, attackers have now started scanning the Internet for Microsoft Exchange Vulnerability 2020 Servers to a Remote Code Execution flaw(CVE-2020-0688). This vulnerability received a patch during the Patch Tuesday of February 2020. A good Vulnerability Management System can prevent these attacks.


Key to Remote Code Execution: CVE-2020-0688

According to Microsoft, CVE-2020-0688 is a vulnerability in Microsoft Exchange Server due to the failure of the server to create unique keys during installation properly. An authentic attacker with the knowledge of the validation key and access to a mailbox can pass arbitrary objects to be deserializing by a web application running with SYSTEM privileges. A Vulnerability Management tool can resolve these issues.

Microsoft rated this vulnerability important in severity with the notion that an attacker needs authentication for successful exploitation. But in the scenario of an organization, many users possess access to accounts with basic USER privileges. Given that, exploiting further would be no herculean task. Attacks are also feasible in cases where the attacker has already obtained the credentials to the target systems through other means.


Deep Dive into Microsoft Exchange Server’s Code Execution Bug

CVE-2020-0688 reporting to Microsoft by an anonymous researcher working with Trend Micro’s Zero Day Initiative (ZDI). ZDI has published a detailed vulnerability analysis and a demonstration video exploiting CVE-2020-0688.

The flaw resides in the Exchange Control Panel (ECP) component, a web-based management interface in Exchange Server. The primary reason for the existence of the bug is the use of static keys in the server. While randomly generated keys for every installation are expected for security, all installations of the Microsoft Exchange Server were found to have the same validationKey  decryptionKey values in web.config. These keys secure ViewState, which is the server-side data that ASP.NET web applications store in the serialized format on the client.

An authenticated attacker can launch insecure deserialization attacks by maliciously crafting ViewState data. An attacker can also plan to execute .NET code on the server with a ViewState payload generated using YSoSerial.net in the context of the Exchange Control Panel web application, which runs as SYSTEM.

In order to successfully launch an attack, an attacker should acquire the ViewStateUserKey and the __VIEWSTATEGENERATOR values from an authenticated session. Standard developer tools within the browser can be used to obtain these parameters. ViewStateUserKey can be obtained from ASP.NET _SessionID cookie.


Steps for exploitation

1) A simple user logs in to his account on /ecp/default.aspx page.
2) The validation key is already present due to the presence of static keys:

validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF

validationalg = SHA1

3) A request is sent to /ecp/default.aspx.
The page source of the response contains __VIEWSTATEGENERATOR.
The value of ASP.NET_SessionId cookie in Request header is the ViewStateUserKey.
4) The values of validationkey, validationalg, generator and viewstateuserkey are now known. The next step will be to create the ViewState payload.
5) The ViewState payload encodes and crafts with a URL.
/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<ViewState>

6) The craft URL gains access using the browser. The browser response is, but the craft data executes in the background with SYSTEM privileges.


Affected Products

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14 and 15
  • Microsoft Exchange Server 2019 Cumulative Update 3 and 4

Impact

An authenticated attacker can execute malicious code on the server. Successful attacks can also involve disclosure and tampering of confidential emails in an organization.


Solution

Microsoft has released an update for mitigating this vulnerability as a part of the Patch Tuesday Updates of February 2020. We strongly recommend applying the security updates from the vendor if not already applied.


SanerNow detects this vulnerability and automatically fixes it by applying security updates. Download SanerNow and keep your systems updated and secure.