Optional: We can disable SSL for EWS to see what’s being exchanged in the wire in plain text.Once the Exchange setup done, we need to make sure we can login to the following URLs by visiting them in the browser - and.Next, we need to the deploy the MS Exchange server 2010, we can follow the tutorial here.Visual Studio C++13 is needed if we want to apply the latest vulnerable Cumulative Update 30 over it. The version downloaded won’t have any Cumulative Update installed.After deploying an AD, we need to install the Microsoft Exchange Server 2010 SP3.We can follow the guide from one of my previous blogs in the ‘Deploying the Domain Controller’ section. Active Directory (AD) Domain needs to be deployed on this machine.
We can use some other machine on the same network as well. We will use the same VM to launch the attack too.For that we deploy a Windows Server 2012 VM. Firstly, we need a Windows OS which supports deployment of Microsoft Exchange Server.With that out of the way, let’s see the attack in action. So, an authenticated attacker can embed malicious data in these SOAP messages capable of performing RCE causing the vulnerability. This serialized data is de-serialized on the server side without any validation. One of the methods ( CreateUserConfiguration) accepting SOAP messages has a field called “binary data” which accepts serialized data. Before we do that, here is a brief, simplified explanation of the root cause of the vulnerability -ĮWS uses SOAP (Simple Object Access Protocol) messages, which are XML based to access and modify the user configuration object. We will test out the PoC on a test machine in a moment. There is a Proof of Concept (PoC) publicly available on Github. This CVE affects all the versions of Microsoft Exchange 2010 SP3 till Cumulative Update (CU) 30 (released on ). Microsoft Exchange Server provides web access for Exchange Web Services (EWS) which is an application program interface (API) that allows programmers to access Microsoft Exchange items such as calendars, contacts, and email. Microsoft Exchange is a mail and calendaring server implemented using ASP.NET. Amidst the speculations, name of a CVE which has popped up is CVE-2020-17144 which is a Remote Code Execution (RCE) vulnerability in Microsoft Exchange Server 2010 SP3. With the recent events, there have been speculations regarding increasing cybersecurity attacks on organizations by the threat actors.
0 kommentar(er)
