Add more words about Exchange role groups

rapid7 · Sep 16, 2020 · 03e0b90 · 03e0b90
1 parent e118ff1
commit 03e0b90
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/documentation/modules/exploit/windows/http/exchange_ecp_dlp_policy.md b/documentation/modules/exploit/windows/http/exchange_ecp_dlp_policy.md
@@ -8,6 +8,12 @@ required to exploit this vulnerability. Additionally, the target user
 must have the `Data Loss Prevention` role assigned and an active
 mailbox.
 
+If the user is in the `Compliance Management` or greater `Organization
+Management` role groups, then they have the `Data Loss Prevention`
+role. Since the user who installed Exchange is in the `Organization
+Management` role group, they transitively have the `Data Loss
+Prevention` role.
+
 The specific flaw exists within the processing of the `New-DlpPolicy`
 cmdlet. The issue results from the lack of proper validation of
 user-supplied template data when creating a DLP policy. An attacker

diff --git a/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb b/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb
@@ -23,6 +23,12 @@ def initialize(info = {})
           must have the "Data Loss Prevention" role assigned and an active
           mailbox.
 
+          If the user is in the "Compliance Management" or greater "Organization
+          Management" role groups, then they have the "Data Loss Prevention"
+          role. Since the user who installed Exchange is in the "Organization
+          Management" role group, they transitively have the "Data Loss
+          Prevention" role.
+
           The specific flaw exists within the processing of the New-DlpPolicy
           cmdlet. The issue results from the lack of proper validation of
           user-supplied template data when creating a DLP policy. An attacker