ExchangeÓòÄÚÌáȨ¸ßΣÎó²îÇ徲ͨ¸æ

Ðû²¼Ê±¼ä 2019-01-23

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2018-8581£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ CVSS·ÖÖµ£º¹Ù·½£º7.4


Ó°Ïì¹æÄ£


ÊÜÓ°Ïì°æ±¾£º 

Microsoft Exchange Server 2010

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

×¢£ºExchange ȨÏÞÄ£×Ó·ÖΪ Split Permission Model Óë Shared Permission Model£¨Ä¬ÈÏ£©£¬£¬£¬½ÓÄÉ Split Permission Model µÄ Exchange ЧÀÍÆ÷²»Êܴ˹¥»÷¼Æ»®Ó°Ïì¡£¡£¡£¡£¡£


Îó²î¸ÅÊö


Microsoft Exchange ServerÊÇ΢Èí¹«Ë¾µÄÒ»Ì×µç×ÓÓʼþЧÀÍ×é¼þ¡£¡£¡£¡£¡£³ý¹Å°åµÄµç×ÓÓʼþµÄ´æÈ¡¡¢Öü´æ¡¢×ª±¬·¢ÓÃÍ⣬£¬£¬ÔÚа汾µÄ²úÆ·ÖÐÒà¼ÓÈëÁËһϵÁи¨Öú¹¦Ð§£¬£¬£¬ÈçÓïÒôÓʼþ¡¢Óʼþ¹ýÂËɸѡºÍOWA£¨»ùÓÚWebµÄµç×ÓÓʼþ´æÈ¡£¡£¡£¡£¡£©¡£¡£¡£¡£¡£Exchange ServerÖ§³Ö¶àÖÖµç×ÓÓʼþÍøÂçЭÒ飬£¬£¬ÈçSMTP¡¢NNTP¡¢POP3ºÍIMAP4¡£¡£¡£¡£¡£Exchange ServerÄܹ»Óë΢Èí¹«Ë¾µÄ»î¶¯Ä¿Â¼ÍêÉÆÁ¬Ïµ¡£¡£¡£¡£¡£


΢ÈíµÄ Exchange ÏÈÇ°±»±¬³ö±£´æSSRFÎó²î£¬£¬£¬Îó²î±àºÅΪ£ºCVE-2018-8581¡£¡£¡£¡£¡£¿ËÈÕ¸ÃÎó²îµÄÁíһʹÓÃÒªÁì±»ÍâÑóÇå¾²Ñо¿Ö°Ô±¹ûÕæ²¢ÇÒ¸½´øÁËPOC£¬£¬£¬¹¥»÷ÕßʹÓôËÎó²î¿ÉÖ±½Ó¿ØÖÆÄ¿µÄÍøÂçÄÚµÄ Windows Óò½ø¶øÖ±½Ó¿ØÖÆÓòÄÚËùÓÐ Windows »úе¡£¡£¡£¡£¡£ÏÖÔÚ΢Èí¹Ù·½»¹Ã»ÓÐÍÆËͳö×îеIJ¹¶¡À´±ÜÃâ¸Ã¹¥»÷·½·¨£¬£¬£¬²¢ÇÒ΢ÈíÕë¶ÔCVE-2018-8581µÄ²¹¶¡Ò²²»¿É·ÀÓù¸Ã¹¥»÷·½·¨À´»ñÈ¡Óò¿ØȨÏÞ¡£¡£¡£¡£¡£


Îó²îÑéÖ¤


Îó²îʹÓÃÌõ¼þ£ºÓµÓÐÓòÄÚí§ÒâÕË»§µÄÓÊÏäÕʺÅÃÜÂë²¢ÇÒExchangeЧÀÍÆ÷ʹÓÃÁËShared permissionÄ£×Ó(ĬÈÏÆôÓÃ)¡£¡£¡£¡£¡£POC£ºhttps://github.com/dirkjanm/PrivExchange¡£¡£¡£¡£¡£


ÐÞ¸´½¨Òé


1.    ²Î¿¼ÒÔÏÂÁ´½Ó½« Exchange ȨÏÞÄ£×Ó¸ü¸ÄΪ Split Permission Model£º

https://docs.microsoft.com/en-us/exchange/understanding-split-permissions-exchange-2013-help

https://docs.microsoft.com/en-us/exchange/managing-split-permissions-exchange-2013-help


2. ÔÚÓò¿ØÖÆÆ÷ÉÏ¿ªÆôsmbÊðÃûÄ¥Á·(ÈôÓòÄÚÓÐWindowsNT»òÒÔÏ»úеÐèÒªSMBУÑé²»ÍƼöʹÓÃ)

ÔËÐÐ×¢²á±í±à¼­Æ÷ (Regedt32.exe)¡£¡£¡£¡£¡£

HKEY_LOCAL_MACHIME\System\CurrentControlSet\Services\LanManServer\ParameteÖн« EnableSecuritySignature ¸ú RequireSecuritySignature µÄÖµ¶¼¸ÄΪ1È»ºóÈ·¶¨²¢ÖØÐÂÆô¶¯Windows¡£¡£¡£¡£¡£



¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨


»òÕß½«ÏÂÃæÏÂÁîÉúÑijÉÅú´¦Öóͷ£ÔÚÓò¿Ø»úеÉÏÒÔÖÎÀíԱȨÏÞÔËÐУ¬£¬£¬ÔËÐÐÀֳɺóÖØÆôÓò¿ØЧÀÍÆ÷¡£¡£¡£¡£¡£


reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters"/v "RequireSecuritySignature" /t REG_DWORD /d 1 /f

reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters"/v "EnableSecuritySignature" /t REG_DWORD /d 1 /f

reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters"/v "RequireSecuritySignature" /t REG_DWORD /d 1 /f

reg  add"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters"/v "EnableSecuritySignature" /t REG_DWORD /d 1 /f


²Î¿¼Á´½Ó


https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

https://github.com/dirkjanm/PrivExchange