zeroSteiner's assessment of CVE-2020-1147

Common in enterprise Easy to weaponize Vulnerable in default configuration Authenticated

Description

A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka ‘.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability’.

Add Assessment

zeroSteiner (315)

July 27, 2020 10:19pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

High

Exploitability

High

Common in enterprise Easy to weaponize Vulnerable in default configuration Authenticated

Technical Analysis

A deserialization vulnerability exists within Microsoft Sharepoint that could allow an attacker to execute code on the server within the context of the service account. The attacker would need to authenticate to Sharepoint and submit a specially crafted POST request to a specific resource that implements the ContactLinksSuggestionsMicroView or InputFormContactLinksSuggestionsMicroView control. The following two resources meet this requirement:

/_layouts/15/quicklinks.aspx?Mode=Suggestion
/_layouts/15/quicklinksdialogform.aspx?Mode=Suggestion

Alternatively, an attacker with the correct privileges may create a page which implements this.

For more information, see the details analysis posted to srcincite.io by Steven Seeley.

See More &2 repliesSee Less

siberkuvvet (0) November 25, 2020 8:02am UTC (3 years ago)

Also there is an online tool to check for CVE-2020-1147

https://securityforeveryone.com/tools/sharepointer-visualstudio-rce-cve-2020-1147

nmmapper (0) May 27, 2021 5:46am UTC (2 years ago)

Yeah you can always test out at https://www.nmmapper.com

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

Required

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Enterprise Server 2013 Service Pack 1

Microsoft SharePoint Server 2019

Microsoft SharePoint Server 2010 Service Pack 2

Microsoft Visual Studio 2019 16.0

Microsoft Visual Studio 2019 version 16.6 (includes 16.0 - 16.5)

Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)

Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)

.NET Core 2.1

.NET Core 3.1

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows 8.1 for 32-bit systems

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows 8.1 for x64-based systems

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows RT 8.1

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows Server 2012

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows Server 2012 R2

Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems

Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems

Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation)

Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systems

Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systems

Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems

Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems

Microsoft .NET Framework 4.8 on Windows Server 2016

Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)

Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems

Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems

Microsoft .NET Framework 4.8 on Windows RT 8.1

Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 4.8 on Windows Server 2012

Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 4.8 on Windows Server 2012 R2

Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019

Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1909 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 1903 (Server Core installation) 1903

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server, version 1803 (Server Core Installation)

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016

Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2 on Windows 10 Version 1709 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2 on Windows 10 Version 1709 for x64-based Systems

Microsoft .NET Framework 4.6 Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 4.6 Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 3.5 Windows 8.1 for 32-bit systems

Microsoft .NET Framework 3.5 Windows 8.1 for x64-based systems

Microsoft .NET Framework 3.5 Windows Server 2012

Microsoft .NET Framework 3.5 Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 3.5 Windows Server 2012 R2

Microsoft .NET Framework 3.5 Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 3.5.1 Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 3.5.1 Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1 Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.5.2 Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 4.5.2 Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.5.2 Windows 8.1 for 32-bit systems

Microsoft .NET Framework 4.5.2 Windows 8.1 for x64-based systems

Microsoft .NET Framework 4.5.2 Windows RT 8.1

Microsoft .NET Framework 4.5.2 Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 4.5.2 Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 4.5.2 Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 4.5.2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 4.5.2 Windows Server 2012

Microsoft .NET Framework 4.5.2 Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 4.5.2 Windows Server 2012 R2

Microsoft .NET Framework 4.5.2 Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.6/4.6.1/4.6.2 on Windows 10 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.6/4.6.1/4.6.2 on Windows 10 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.7.1/4.7.2 on Windows 10 Version 1709 for ARM64-based Systems

Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1803 for ARM64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 2004 for x64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 2004 (Server Core installation)

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1903 for ARM64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for ARM64-based Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 2004 for 32-bit Systems

Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 2004 for ARM64-based Systems

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

exploit/windows/http/sharepoint_data_deserialization

Reporter

Unknown

Vendors

microsoft

Products

.net core 2.1,
.net core 3.1,
.net framework 2.0,
.net framework 3.0,
.net framework 3.5,
.net framework 3.5.1,
.net framework 4.5.2,
.net framework 4.6,
.net framework 4.6.1,
.net framework 4.6.2,
.net framework 4.7,
.net framework 4.7.1,
.net framework 4.7.2,
.net framework 4.8,
sharepoint enterprise server 2013,
sharepoint enterprise server 2016,
sharepoint server 2010,
sharepoint server 2019,
visual studio 2017,
visual studio 2019

Metasploit Modules

SharePoint DataSet / DataTable Deserialization (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/sharepoint_data_deserialization.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 03, 2021 2:36pm UTC (2 years ago)

References

Canonical

CVE-2020-1147 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1147)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html

http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html

https://www.exploitalert.com/view-details.html?id=35992

http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html

Rapid7

High

CVE-2020-1147

High

High

Required

None

Local

CVE-2020-1147

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification