module

Microsoft Exchange Server DlpUtils AddTenantDlpPolicy RCE

Try Surface Command
Back to search
Disclosed
Jan 12, 2021
Created
Sep 17, 2020

Description

This vulnerability allows remote attackers to execute arbitrary code
on affected installations of Exchange Server. Authentication is
required to exploit this vulnerability. Additionally, the target user
must have the "Data Loss Prevention" role assigned and an active
mailbox.

If the user is in the "Compliance Management" or greater "Organization
Management" role groups, then they have the "Data Loss Prevention"
role. Since the user who installed Exchange is in the "Organization
Management" role group, they transitively have the "Data Loss
Prevention" role.

The specific flaw exists within the processing of the New-DlpPolicy
cmdlet. The issue results from the lack of proper validation of
user-supplied template data when creating a DLP policy. An attacker
can leverage this vulnerability to execute code in the context of
SYSTEM.

Tested against Exchange Server 2016 CU19 on Windows Server 2016.

Authors

Leonard Rapp
Markus Vervier
Steven Seeley
Yasar Klawohn
wvu wvu@metasploit.com
Spencer McIntyre

Platform

Windows

Architectures

x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/windows/http/exchange_ecp_dlp_policy
    msf exploit(exchange_ecp_dlp_policy) > show targets
        ...targets...
    msf exploit(exchange_ecp_dlp_policy) > set TARGET < target-id >
    msf exploit(exchange_ecp_dlp_policy) > show options
        ...show and set options...
    msf exploit(exchange_ecp_dlp_policy) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today