A Proof-of-Concept (PoC) exploit has been made public for a Microsoft Exchange Server vulnerability, identified as CVE-2023-36745, which can enable remote attackers to execute code. Microsoft's advisory warned of the serious implications of this vulnerability, stating that a successful exploit could allow remote access and manipulation of the victim's data, and potentially cause downtime for the targeted system.
The details of this vulnerability were extensively analysed by N1k0la in a blog post. N1k0la explained that the vulnerability is based on the ability of Microsoft.Exchange.DxStore.Common.DxSerializationUtil.SharedTypeResolver to bypass system checks. This class, with its single-argument constructor, initiates the Assembly.LoadFrom method, which loads an assembly. Concurrently, the LoadType method of Microsoft.Exchange.Diagnostics.ChainedSerializationBinder retrieves classes from assemblies in the current application's context.
The main issue is that attackers can exploit deserialization type conversion to introduce a malicious class through a custom assembly, compromising the Exchange Server and enabling Remote Code Execution (RCE), which provides attackers with significant control. N1k0la highlighted that .NET Framework 4 had previously taken steps to prevent such vulnerabilities by disabling the ability to run code in assemblies from remote locations, which should have deterred remote exploits. However, the call of the LoadFrom method resulted in a FileLoadException, introducing another vulnerability.
After the .NET Framework 4 made remote assembly loading unfeasible, attackers found a workaround by using SMB sharing to load assemblies from external machines. Moreover, Microsoft.Exchange.Diagnostics.ChainedSerializationBinder's default strictMode only allows whitelisted classes to undergo deserialization. But, N1k0la pointed out the potential interaction with CVE-2023-21529, which could allow clever exploiters to bypass this security measure.
The vulnerability is exploited by using the Microsoft.Exchange.DxStore.Common.DxSerializationUtil.SharedTypeResolver class to bypass the .NET Framework's default security restrictions. This class can load assemblies from remote locations, which can then be used to execute arbitrary code on the victim system. To exploit the vulnerability, an attacker needs to gain LAN-access to the victim's Exchange server and then send a specially crafted HTTP request to the server that exploits the vulnerability. If successful, the attacker can execute arbitrary code on the victim system.
N1k0la validated these findings by publishing the PoC exploit on Github. While this could provide potential threat actors with dangerous information, it also benefits the cybersecurity community by highlighting the real risks and allowing for the development of stronger countermeasures. Despite Microsoft patching the vulnerability in its September 2023 Patch Tuesday update, many organizations have not yet applied the patch, leaving their systems susceptible to attack.