跳转至

T1190-CVE-2020-0688漏洞利用检测

来自ATT&CK的描述

使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。

如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。

对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。

CVE-2020-0688漏洞

Microsoft Exchange Server是微软公司一套支持多种电子邮件网络协议的电子邮件服务组件,除传统的电子邮件的存取、储存、转发作用外,在新版本的产品中亦加入了一系列辅助功能,如语音邮件、邮件过滤筛选和OWA(基于Web的电子邮件存取)。

漏洞起于Microsoft Exchange服务器在安装时并没有正确创建唯一密钥,经过身份验证的攻击者可以欺骗目标服务器反序列化恶意创建的ViewState数据,使攻击者可以在Exchange Control Panel web应用上执行任意.net代码。

测试案例

具体复测可以参考

检测日志

HTTP流量、Windows sysmon日志、IIS日志、exchange日志

测试复现

可参考上述测试案例

测试留痕

HTTP流量检测规则基于payload关键词进行检测

Windows sysmon日志检测规则基于payload关键词检测

IIS日志检测规则,留痕如下:

2020-03-09 17:16:50 ::1 POST /owa/auth.owa &CorrelationID=<empty>;&cafeReqId=9cff6edd-19a9-43c0-bdd2-a94adef6dd0c; 443 [email protected] ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 0
2020-03-09 17:16:58 172.*.*.27 GET /ecp/default.aspx __VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BY2FsYy5leGU8L1N5c3RlbTpTdHJpbmc%2BDQogICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4LJ%2F5i3bVSrOTrkun3pNej4tluDK0%3D&CorrelationID=<empty>;&cafeReqId=e0874638-b142-4c77-84c1-c0434137e691; 443 limou 10.0.254.139 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:73.0)+Gecko/20100101+Firefox/73.0 - 500 0 0 1502

检测规则/思路

sigma规则

title: CVE-2020-0688 Exchange Exploitation via Web Log
id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
logsource:
    category: webserver
detection:
    selection1:
        cs-method: 'GET'
        c-uri|contains:
            - '/ecp/'
            - '/owa/'
    selection2:
        c-uri|contains: '__VIEWSTATE='
    condition: selection1 and selection2
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
tags:
    - attack.initial_access
    - attack.t1190
level: critical

title: CVE-2020-0688 Exploitation via Eventlog
id: d6266bf5-935e-4661-b477-78772735a7cb
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: windows
    service: application
detection:
    selection1:
        EventID: 4
        Source: MSExchange Control Panel
        Level: Error
    selection2:
        - '*&__VIEWSTATE=*'
    condition: selection1 and selection2
falsepositives:
    - Unknown
level: high

title: CVE-2020-0688 Exploitation IIS Eventlog
id: d6266bf5-935e-4661-b477-78772735a7cb
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: windows
    service: IIS
detection:
    selection1:
        cs-method: 'POST'
        c-uri|contains: '/owa/auth.owa'
    selection2:
        cs-method: 'GET'
        c-uri|contains: '__VIEWSTATEGENERATOR=* __VIEWSTATE='
    timeframe: 3s #可根据实际情况调整
    condition: selection1 and selection2
falsepositives:
    - Unknown
level: high

建议

暂无

参考推荐

MITRE-ATT&CK-T1190

https://attack.mitre.org/techniques/T1190/

SIGMA rules

https://github.com/Neo23x0/sigma/pull/644/files

在MICROSOFT EXCHANGE SERVER上检测CVE-2020-0688远程执行代码漏洞

https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/