ExchangeÓòÄÚÌáȨ¸ßΣÎó²îÇ徲ͨ¸æ

Ðû²¼Ê±¼ä 2019-01-23

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2018-8581£¬£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬£¬ CVSS·ÖÖµ£º¹Ù·½£º7.4


Ó°Ïì¹æÄ£


ÊÜÓ°Ïì°æ±¾£º 

Microsoft Exchange Server 2010

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

×¢£ºExchange ȨÏÞÄ£×Ó·ÖΪ Split Permission Model Óë Shared Permission Model£¨Ä¬ÈÏ£©£¬£¬£¬£¬£¬£¬½ÓÄÉ Split Permission Model µÄ Exchange ЧÀÍÆ÷²»Êܴ˹¥»÷¼Æ»®Ó°Ïì¡£¡£¡£¡£¡£¡£


Îó²î¸ÅÊö


Microsoft Exchange ServerÊÇ΢Èí¹«Ë¾µÄÒ»Ì×µç×ÓÓʼþЧÀÍ×é¼þ¡£¡£¡£¡£¡£¡£³ý¹Å°åµÄµç×ÓÓʼþµÄ´æÈ¡¡¢Öü´æ¡¢×ª±¬·¢ÓÃÍ⣬£¬£¬£¬£¬£¬ÔÚа汾µÄ²úÆ·ÖÐÒà¼ÓÈëÁËһϵÁи¨Öú¹¦Ð§£¬£¬£¬£¬£¬£¬ÈçÓïÒôÓʼþ¡¢Óʼþ¹ýÂËɸѡºÍOWA£¨»ùÓÚWebµÄµç×ÓÓʼþ´æÈ¡£¡£¡£¡£¡£¡£©¡£¡£¡£¡£¡£¡£Exchange ServerÖ§³Ö¶àÖÖµç×ÓÓʼþÍøÂçЭÒ飬£¬£¬£¬£¬£¬ÈçSMTP¡¢NNTP¡¢POP3ºÍIMAP4¡£¡£¡£¡£¡£¡£Exchange ServerÄܹ»Óë΢Èí¹«Ë¾µÄ»î¶¯Ä¿Â¼ÍêÉÆÁ¬Ïµ¡£¡£¡£¡£¡£¡£


΢ÈíµÄ Exchange ÏÈÇ°±»±¬³ö±£´æSSRFÎó²î£¬£¬£¬£¬£¬£¬Îó²î±àºÅΪ£ºCVE-2018-8581¡£¡£¡£¡£¡£¡£¿ËÈÕ¸ÃÎó²îµÄÁíһʹÓÃÒªÁì±»ÍâÑóÇå¾²Ñо¿Ö°Ô±¹ûÕæ²¢ÇÒ¸½´øÁËPOC£¬£¬£¬£¬£¬£¬¹¥»÷ÕßʹÓôËÎó²î¿ÉÖ±½Ó¿ØÖÆÄ¿µÄÍøÂçÄÚµÄ Windows Óò½ø¶øÖ±½Ó¿ØÖÆÓòÄÚËùÓÐ Windows »úе¡£¡£¡£¡£¡£¡£ÏÖÔÚ΢Èí¹Ù·½»¹Ã»ÓÐÍÆËͳö×îеIJ¹¶¡À´±ÜÃâ¸Ã¹¥»÷·½·¨£¬£¬£¬£¬£¬£¬²¢ÇÒ΢ÈíÕë¶ÔCVE-2018-8581µÄ²¹¶¡Ò²²»¿É·ÀÓù¸Ã¹¥»÷·½·¨À´»ñÈ¡Óò¿ØȨÏÞ¡£¡£¡£¡£¡£¡£


Îó²îÑéÖ¤


Îó²îʹÓÃÌõ¼þ£ºÓµÓÐÓòÄÚí§ÒâÕË»§µÄÓÊÏäÕʺÅÃÜÂë²¢ÇÒExchangeЧÀÍÆ÷ʹÓÃÁËShared permissionÄ£×Ó(ĬÈÏÆôÓÃ)¡£¡£¡£¡£¡£¡£POC£ºhttps://github.com/dirkjanm/PrivExchange¡£¡£¡£¡£¡£¡£


ÐÞ¸´½¨Òé


1.    ²Î¿¼ÒÔÏÂÁ´½Ó½« Exchange ȨÏÞÄ£×Ó¸ü¸ÄΪ Split Permission Model£º

https://docs.microsoft.com/en-us/exchange/understanding-split-permissions-exchange-2013-help

https://docs.microsoft.com/en-us/exchange/managing-split-permissions-exchange-2013-help


2. ÔÚÓò¿ØÖÆÆ÷ÉÏ¿ªÆôsmbÊðÃûÄ¥Á·(ÈôÓòÄÚÓÐWindowsNT»òÒÔÏ»úеÐèÒªSMBУÑé²»ÍƼöʹÓÃ)

ÔËÐÐ×¢²á±í±à¼­Æ÷ (Regedt32.exe)¡£¡£¡£¡£¡£¡£

HKEY_LOCAL_MACHIME\System\CurrentControlSet\Services\LanManServer\ParameteÖн« EnableSecuritySignature ¸ú RequireSecuritySignature µÄÖµ¶¼¸ÄΪ1È»ºóÈ·¶¨²¢ÖØÐÂÆô¶¯Windows¡£¡£¡£¡£¡£¡£



ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø


»òÕß½«ÏÂÃæÏÂÁîÉúÑijÉÅú´¦Öóͷ£ÔÚÓò¿Ø»úеÉÏÒÔÖÎÀíԱȨÏÞÔËÐУ¬£¬£¬£¬£¬£¬ÔËÐÐÀֳɺóÖØÆôÓò¿ØЧÀÍÆ÷¡£¡£¡£¡£¡£¡£


reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters"/v "RequireSecuritySignature" /t REG_DWORD /d 1 /f

reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters"/v "EnableSecuritySignature" /t REG_DWORD /d 1 /f

reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters"/v "RequireSecuritySignature" /t REG_DWORD /d 1 /f

reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters"/v "EnableSecuritySignature" /t REG_DWORD /d 1 /f


²Î¿¼Á´½Ó


https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

https://github.com/dirkjanm/PrivExchange