Add more words about Exchange role groups

rapid7 · Sep 16, 2020 · e0e0ac2 · e0e0ac2
1 parent adee1a7
commit e0e0ac2
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/documentation/modules/exploit/windows/http/exchange_ecp_dlp_policy.md b/documentation/modules/exploit/windows/http/exchange_ecp_dlp_policy.md
@@ -8,6 +8,12 @@ required to exploit this vulnerability. Additionally, the target user
 must have the `Data Loss Prevention` role assigned and an active
 mailbox.
 
+If the user is in the `Compliance Management` or greater `Organization
+Management` role groups, then they have the `Data Loss Prevention`
+role. Since the user who installed Exchange is in the `Organization
+Management` role group, they transitively have the `Data Loss
+Prevention` role.
+
 The specific flaw exists within the processing of the `New-DlpPolicy`
 cmdlet. The issue results from the lack of proper validation of
 user-supplied template data when creating a DLP policy. An attacker

diff --git a/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb b/modules/exploits/windows/http/exchange_ecp_dlp_policy.rb
@@ -23,6 +23,12 @@ def initialize(info = {})
  must have the "Data Loss Prevention" role assigned and an active
  mailbox.
 
+ If the user is in the "Compliance Management" or greater "Organization
+ Management" role groups, then they have the "Data Loss Prevention"
+ role. Since the user who installed Exchange is in the "Organization
+ Management" role group, they transitively have the "Data Loss
+ Prevention" role.
+
  The specific flaw exists within the processing of the New-DlpPolicy
  cmdlet. The issue results from the lack of proper validation of
  user-supplied template data when creating a DLP policy. An attacker