9
CVSSv2

CVE-2020-0688

Published: 11/02/2020 Updated: 20/02/2020
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Vulnerability Trend

Affected Products

Vendor Product Versions
MicrosoftExchange Server2010, 2013, 2016, 2019

Exploits

# Exploit Title: Microsoft Exchange 2019 15222112 - Authenticated Remote Code Execution # Date: 2020-02-28 # Exploit Author: Photubias # Vendor Advisory: [1] portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2020-0688 # [2] wwwthezdicom/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsof ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'bindata' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager D ...

Mailing Lists

Microsoft Exchange 2019 version 15222112 suffers from an authenticated remote code execution vulnerability ...
This Metasploit module exploits a NET serialization vulnerability in the Exchange Control Panel (ECP) web page The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values With knowledge of these, values an attacker can craft a s ...
This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfodll with a malicious DLL containing the attacker's payload To achieve code execution as the SYSTEM user, the Update Session Orchestrat ...

Github Repositories

Vulnerability scanner for CVE-2020-0688

cve-2020-0688 UNIVERSAL Python implementation utilizing ASPX webshell for command output

Powershell script to detect CVE-2020-0688

Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

General Security Scripts

I made this script for conducting CVE-2020-0688 more rapidly. It helps to improve checking the vuln, reducing hugely steps for that

CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

cve-2020-0688

CVE-2020-0688 - Exchange

cve-2020-0688

CVE-2020-0688

CVE-2020-0688_EXP Auto trigger payload

Exchange Scanner CVE-2020-0688

Quick tool for checking CVE-2020-0688 on multiple hosts with a non-intrusive method.

Exploit and detect tools for CVE-2020-0688

PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell

Branch: master Go to file Clone Clone with HTTPS Use Git or checkout with SVN using the web URL. Download ZIP Downloading Want to be notified of new releases in phackt/Invoke-Recon? Sign in Sign up Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio If nothing happens, download the GitHub extension for Visual Studio and try again. Go back Latest commit phackt committed 12e127d 2 minutes ago … fix readme Git stats 30 commits 2 branches 0 tags Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time modules Add Exchange enumeration 1 hour ago .gitignore Add Exchange enumeration 1 hour ago .gitmodules Add Exchange enumeration 1 hour ago Invoke-Recon.ps1 Add Exchange enumeration 1 hour ago README.md fix readme 2 minutes ago View code README.md Invoke-Recon Powershell script for the very first domain enumeration. Just because i'm tired to type the same AD / PowerView commands over and over. Prerequisites You may want to exclude your tools directory from Defender (if you clone submodules for examples): Add-MpPreference -ExclusionPath "C:\Users\bleponge\Documents\myrepos" Get-MpPreference | Select -Expand ExclusionPath If you don't already have imported the following modules for you enumeration: git clone --recurse-submodules https://github.com/phackt/Invoke-Recon.git Import-Module .\modules\PowerSploit\Recon\PowerView.ps1 Import-Module .\modules\PowerUpSQL\PowerUpSQL.psd1 Import-Module .\modules\ADModule\Microsoft.ActiveDirectory.Management.dll Import-Module .\modules\ADModule\ActiveDirectory\ActiveDirectory.psd1 Run .\Invoke-Recon.ps1 -Domain us.funcorp.local | Tee-Object -FilePath .\invoke-recon.txt ################################################################ ################################################################ | Starting enumeration of domain us.funcorp.local ################################################################ ################################################################ +------+------------------------------------------------+------+ | Searching PDC +------+------------------------------------------------+------+ Name Type TTL Section NameTarget Priority Weight Port ---- ---- --- ------- ---------- -------- ------ ---- _ldap._tcp.pdc._msdcs.us.funcorp.local SRV 600 Answer UFC-DC1.us.funcorp.local 0 100 389 Name : UFC-DC1.us.funcorp.local QueryType : A TTL : 600 Section : Additional IP4Address : 192.168.2.1 +------+------------------------------------------------+------+ | Searching all DCs +------+------------------------------------------------+------+ _ldap._tcp.dc._msdcs.us.funcorp.local SRV 600 Answer UFC-DC1.us.funcorp.local 0 100 389 Name : UFC-DC1.us.funcorp.local QueryType : A TTL : 600 Section : Additional IP4Address : 192.168.2.1 +------+------------------------------------------------+------+ | Checking spooler service is up on DCs +------+------------------------------------------------+------+ ... +------+------------------------------------------------+------+ | Members of the DCs 'Domain Local' group Administrators +------+------------------------------------------------+------+ [+] Digging into 192.168.2.1 ComputerName : 192.168.2.1 GroupName : Administrators MemberName : USFUN\Administrator SID : S-1-5-21-3965405831-1015596948-2589850225-500 IsGroup : False IsDomain : False ... +------+------------------------------------------------+------+ | Nested privileged users (RID >= 1000) +------+------------------------------------------------+------+ GroupDomain : us.funcorp.local GroupName : Domain Admins GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=us,DC=funcorp,DC=local MemberDomain : us.funcorp.local MemberName : servicesadmin MemberDistinguishedName : CN=services admin,CN=Users,DC=us,DC=funcorp,DC=local MemberObjectClass : user MemberSID : S-1-5-21-3965405831-1015596948-2589850225-1122 ------+------------------------------------------------+------+ | Computers with constrained delegation and protocol transition +------+------------------------------------------------+------+ ... +------+------------------------------------------------+------+ | Users with constrained delegation and protocol transition +------+------------------------------------------------+------+ ... +------+------------------------------------------------+------+ | Managed Service Accounts with constrained delegation and protocol transition +------+------------------------------------------------+------+ ... +------+------------------------------------------------+------+ | Finding principals with replicating permissions +------+------------------------------------------------+------+ ... [more] Todo Resolving https://github.com/NetSPI/PowerUpSQL/issues/61 for querying specific domain thanks to PowerUpSQL (any idea?) Finding all others common quick wins (privexchange, cve-2020-0688, ...) Cross the results About Powershell script for the very first domain enumeration - Written while doing the 'Advanced Red Team' lab from pentesteracademy Topics pentest training-materials activedirectory powershell powerview powerupsql pentesteracademy Resources Readme Releases No releases published Languages PowerShell 100.0%

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

This is an open source Snort rules repository

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

No description, website, or topics provided.

Recent Articles

Microsoft: Attackers increasingly exploit Exchange servers
BleepingComputer • Sergiu Gatlan • 24 Jun 2020

Microsoft's Defender ATP Research Team today issued guidance on how to defend against attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection.
The Microsoft researchers based their analysis on multiple campaigns of Exchange attacks investigated during early April which showed how the malicious actors deploying web shells on on-premises Exchange servers.
Multiple fileless techniques were also used as part of these attacks,...

Microsoft releases guidance on blocking ransomware attacks
BleepingComputer • Sergiu Gatlan • 28 Apr 2020

Microsoft warned today of ongoing human-operated ransomware campaigns targeting healthcare organizations and critical services, and shared tips on how to block new breaches by patching vulnerable internet-facing systems.
Many such attacks start with the human operators first exploiting vulnerabilities found in internet-facing network devices or by brute-forcing RDP servers and then deploying the ransomware payloads.
For instance, Pulse VPN devices have been targeted by threat actors ...

Serious Exchange Flaw Still Plagues 350K Servers
Threatpost • Lindsey O'Donnell • 07 Apr 2020

Over 80 percent of exposed Exchange servers are still vulnerable to a severe vulnerability – nearly two months after the flaw was patched, and after researchers warned that multiple threat groups were exploiting it.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated attacker...

80% of all exposed Exchange servers still unpatched for critical flaw
BleepingComputer • Sergiu Gatlan • 06 Apr 2020

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.
This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.
Microsoft patched th...

Microsoft Exchange Server Flaw Exploited in APT Attacks
Threatpost • Lindsey O'Donnell • 09 Mar 2020

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched ser...

NSA Warns About Microsoft Exchange Flaw as Attacks Start
BleepingComputer • Sergiu Gatlan • 09 Mar 2020

The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account.
NSA's tweet reminded followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.
Microsoft patched this RCE security flaw as part of the February 2020 Patch Tue...

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
BleepingComputer • Sergiu Gatlan • 26 Feb 2020

Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability patched by Microsoft two weeks ago.
All Exchange Server versions up to the last released patch are exposed to potential attacks following these ongoing scans, including those currently out of support even though Microsoft's security advisory doesn't explicitly list them.
The flaw is present in the Exchange Control Panel (ECP) component and it...

Microsoft Patch Tuesday – February 2020
Symantec Threat Intelligence Blog • Preethi Koroth • 12 Feb 2020

This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

Posted: 12 Feb, 202024 Min ReadThreat Intelligence SubscribeMicrosoft Patch Tuesday – February 2020This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all so...

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
The Register • Shaun Nichols in San Francisco • 11 Feb 2020

Meanwhile, we're still squashing bugs in Adobe Flash Player... plus stuff from Intel and SAP

Patch Tuesday It's going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday.
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities.
These included CVE-2020-0674, a remote code execution flaw in Internet Explorer's Trident rendering engine that is already being exploited in the wild. This hole would typic...

Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches
Threatpost • Tara Seals • 11 Feb 2020

Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important.
The update includes a patch for the zero-day memory-corruption vulnerability disclosed in late January that’s under active attack. The bug tracked as CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote co...