Microsoft Exchange Server RCE (CVE-2023-36745) Flaw Gets PoC Exploit

Proof-of-concept (PoC) exploit code has been published for a Microsoft Exchange Server vulnerability tracked as CVE-2023-36745 that allows remote attackers to execute code.

Microsoft’s security advisory painted a stark picture: “An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim’s information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment.”

Taking the lead in decoding the intricacies of this vulnerability, N1k0la shared insights through a detailed blog post. In the post, N1k0la wrote (Translated): “The vulnerability hinges on Microsoft.Exchange.DxStore.Common.DxSerializationUtil.SharedTypeResolver’s ability to bypass system checks. This class, with its single-argument constructor, triggers the Assembly.LoadFrom method, which in turn loads an assembly. In tandem, the LoadType method of Microsoft.Exchange.Diagnostics.ChainedSerializationBinder fetches classes from assemblies in the current application’s context.”

The crux? Attackers can exploit deserialization type conversion, introducing a malicious class via a custom assembly. This tactic not only compromises the Exchange Server but also paves the way for Remote Code Execution (RCE), giving attackers unparalleled control.

Historically, as N1k0la pointed out, .NET Framework 4 had taken measures to prevent such vulnerabilities. It disabled the capability to run code in assemblies from remote locations. This should’ve deterred remote exploits, but the LoadFrom method’s call resulted in a FileLoadException, presenting yet another vulnerability.

With remote assembly loading no longer viable post .NET Framework 4, attackers found a workaround — leveraging SMB sharing to load assemblies from external machines. Adding another layer of complexity, Microsoft.Exchange.Diagnostics.ChainedSerializationBinder‘s default strictMode only allows whitelisted classes to undergo deserialization. Yet, N1k0la notes the potential synergy with CVE-2023-21529, allowing crafty exploiters to circumvent this security measure.

The vulnerability is exploited by leveraging the Microsoft.Exchange.DxStore.Common.DxSerializationUtil.SharedTypeResolver class to bypass the .NET Framework’s default security restrictions. This class can be used to load assemblies from remote locations, which can then be used to execute arbitrary code on the victim system.

To exploit the vulnerability, an attacker would first need to gain LAN-access to the victim’s Exchange server. Once they have LAN-access, they could then send a specially crafted HTTP request to the server that would exploit the vulnerability. If the exploit is successful, the attacker would be able to execute arbitrary code on the victim system.

Validating his findings, N1k0la took a bold step by publishing the Proof-of-Concept (PoC) exploit on Github. While this move could arm potential threat actors with dangerous information, it also serves the cybersecurity community by showcasing the actual risks, allowing for the development of more robust countermeasures.

Microsoft has patched the vulnerability in its September 2023 Patch Tuesday update. However, many organizations have not yet applied the patch, leaving their systems vulnerable to attack.