Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Microsoft Exchange Server
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== 2020 === In February 2020, an [[ASP.NET]] vulnerability was discovered and exploited relying on a default setting allowing attackers to run arbitrary code with system privileges, only requiring a connection to the server as well as being logged into any user account which can be done through [[credential stuffing]].<ref name=":0">{{Cite web|title=Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!|url=https://www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/|access-date=2021-03-20|website=BleepingComputer|language=en-us}}</ref><ref name=":1">{{Cite web|last1=Nusbaum|first1=Scott|last2=Response|first2=Christopher Paschen in Incident|last3=Response|first3=Incident|last4=Forensics|date=2020-02-28|title=Detecting CVE-2020-0688 Remote Code Execution Vulnerability on Microsoft Exchange Server|url=https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/|access-date=2021-03-20|website=TrustedSec|language=en-US}}</ref> The exploit relied on all versions of Microsoft Exchange using the same [[Static variable|static]] validation key to decrypt, encrypt, and validate the 'View State' by default on all installations of the software and all versions of it, where the View State is used to temporarily preserve changes to an individual page as information is sent to the server. The default validation key used is therefore public knowledge, and so when this is used the validation key can be used to decrypt and falsely verify a modified View State containing commands added by an attacker.<ref name=":0" /><ref name=":1" /> When logged in as any user, any [[.aspx|.ASPX]] page is then loaded, and by requesting both the [[session ID]] of the user login and the correct View State directly from the server, this correct View State can be [[Deserialization|deserialised]] and then modified to also include [[Arbitrary code execution|arbitrary code]] and then be falsely verified by the attacker. This modified View State is then serialised and passed back to the server in a [[GET request]] along with the session ID to show it is from a logged-in user; in legitimate use, the view state should always be returned in a [[POST (HTTP)|POST request]], and never a GET request. This combination causes the server to decrypt and run this added code with its own privileges, allowing the server to be fully compromised as any command can therefore be run.<ref name=":0" /><ref name=":1" /> In July 2020, [[Positive Technologies]] published research explaining how hackers can attack Microsoft Exchange Server without exploiting any vulnerabilities.<ref>{{Cite web |last=Sharoglazov |first=Arseniy |title=Attacking MS Exchange Web Interfaces |url=https://swarm.ptsecurity.com/attacking-ms-exchange-web-interfaces/ |access-date=2022-06-18 |website=PT SWARM |date=July 23, 2020 |language=en-US}}</ref> It was voted into Top 10 web hacking techniques of 2020 according to [[PortSwigger Ltd]].<ref>{{Cite web |date=2021-02-24 |title=Top 10 web hacking techniques of 2020 |url=https://portswigger.net/research/top-10-web-hacking-techniques-of-2020 |access-date=2022-06-18 |website=PortSwigger Research}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)