Attacker Value
High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-0618

Disclosure Date: February 11, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka ‘Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability’.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

Although the application was only accessible to authorised users, the lowest privilege (the Browser role) was sufficient in order to exploit this issue.

https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/

My testing confirmed that the endpoint is post-auth. No idea how to configure anonymous users yet, if possible. Uses Windows auth by default. Needed a password to get anywhere. Not really a problem in a Windows environment. So, if you have creds, this could be potentially useful pivot point.

I don’t know how common this is in enterprise environments, but it seems to be a likely pairing with Microsoft’s SQL Server. That may gain you access to useful information.

2
Ratings
Technical Analysis

This service is incredibly common on the inside of Enterprise Environments. Would make for an extremely useful pivot to a resource that would likely have other valuable credentials on it.

Because obtaining valid Credentials in a Windows Environment is trivial, this is easy to exploit.

Because this is a viewstate serialization issue, the toolkits to create the attack payload are easy to find (https://github.com/pwntester/ysoserial.net) and the POC is readily available: https://github.com/euphrat1ca/CVE-2020-0618

General Information

Vendors

  • Microsoft

Products

  • Microsoft SQL Server
  • Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
  • Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)
  • Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
  • Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
  • Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)
Technical Analysis