CVE-2020-17144 : Microsoft Exchange Server EWS Insecure Deserialization

With the recent events, there have been speculations [1] regarding increasing cybersecurity attacks on organizations by the threat actors. Amidst the speculations, name of a CVE which has popped up is CVE-2020-17144 which is a Remote Code Execution (RCE) vulnerability in Microsoft Exchange Server 2010 SP3.

What is Microsoft Exchange

Microsoft Exchange is a mail and calendaring server implemented using ASP.NET. Microsoft Exchange Server provides web access for Exchange Web Services (EWS) which is an application program interface (API) that allows programmers to access Microsoft Exchange items such as calendars, contacts, and email.
Vulnerability Details

This CVE affects all the versions of Microsoft Exchange 2010 SP3 till Cumulative Update (CU) 30 (released on 08.12.2020). There is a Proof of Concept (PoC) publicly available on Github [2]. We will test out the PoC on a test machine in a moment. Before we do that, here is a brief, simplified explanation of the root cause of the vulnerability -

EWS uses SOAP (Simple Object Access Protocol) messages, which are XML based [3] to access and modify the user configuration object. One of the methods (CreateUserConfiguration) accepting SOAP messages has a field called “binary data” which accepts serialized [4] data. This serialized data is de-serialized on the server side without any validation. So, an authenticated attacker can embed malicious data in these SOAP messages capable of performing RCE causing the vulnerability.

With that out of the way, let’s see the attack in action.

Attack in action

Configuring the target

Preparing the payload

Executing the Payload

To give an idea of what the payload is designed to do is, it creates a serialized object, which hosts a malicious server/webpage on the server, which can respond to user query by executing the commands that is supplied, whoami in this case.

Now, to launch the attack, run,

To test if the attack was successful -

We have also tested it to be working on Exchange Server 2010 SP3 with Cumulative Update 30.

Traffic on the Wire

While we executed the payload, we used Wireshark to monitor the packets exchanged over the network..

We notice a few things that we discussed while talking about the reason of the vulnerability to be true here.

If we base64 decode the payload, we can see some info like the URL where the payload will start the server, which we used to verify the attack has worked.

Mitigation

To be able to mitigate this attack, make sure to apply the latest Cumulative Updates, at least CU 31 to the vulnerable Microsoft Exchange 2010 server.

You can also use Keysight test platforms with ATI subscription to be able to safeguard your network against such attacks. Keysight Threat Simulator or BreakingPoint products can help you assess your network security controls and determine whether you can be protected prior to patch. This kind of assessment is valuable as it can let you know if you have protection during the time before a change management window will open.

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2022-05. More information is present here [12].

The following image shows a screenshot of this CVE as a strike in BreakingPoint System

Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks. For more details, see BreakingPoint.

References

  1. https://www.marketscreener.com/quote/stock/RAPID7-INC-23055722/news/Rapid7-Staying-Secure-in-a-Global-Cyber-Conflict-39579278/
  2. https://github.com/zcgonvh/CVE-2020-17144
  3. https://www.w3schools.com/xml/xml_soap.asp
  4. https://devopedia.org/data-serialization
  5. https://www.microsoft.com/en-in/evalcenter/evaluate-windows-server-2012-r2
  6. /blogs/tech/nwvs.entry.html/2020/12/15/hp_data_protector-jA0g.html
  7. https://www.microsoft.com/en-in/download/details.aspx?id=36768
  8. https://www.microsoft.com/en-in/download/details.aspx?id=40784
  9. https://www.microsoft.com/en-us/download/details.aspx?id=100910
  10. https://www.youtube.com/watch?v=kPhABk20bac
  11. https://www.wireshark.org/download.html
  12. https://support.ixiacom.com/version/breakingpoint-strikepacks-os-v830-0\
limit
3