Attacker Value
High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-0618

Disclosure Date: February 11, 2020
CVE-2020-0618 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by ccondon-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka ‘Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability’.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Easy to weaponize
Technical Analysis

Although the application was only accessible to authorised users, the lowest privilege (the Browser role) was sufficient in order to exploit this issue.

https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/

My testing confirmed that the endpoint is post-auth. No idea how to configure anonymous users yet, if possible. Uses Windows auth by default. Needed a password to get anywhere. Not really a problem in a Windows environment. So, if you have creds, this could be potentially useful pivot point.

I don’t know how common this is in enterprise environments, but it seems to be a likely pairing with Microsoft’s SQL Server. That may gain you access to useful information.

Log in to Add Reply
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseDifficult to patchEasy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

This service is incredibly common on the inside of Enterprise Environments. Would make for an extremely useful pivot to a resource that would likely have other valuable credentials on it.

Because obtaining valid Credentials in a Windows Environment is trivial, this is easy to exploit.

Because this is a viewstate serialization issue, the toolkits to create the attack payload are easy to find (https://github.com/pwntester/ysoserial.net) and the POC is readily available: https://github.com/euphrat1ca/CVE-2020-0618

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft SQL Server 2012 for 32-bit Systems Service Pack 4 (QFE)
Microsoft SQL Server 2012 for x64-based Systems Service Pack 4 (QFE)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
exploit/windows/http/ssrs_navcorrector_viewstate
Reporter
Unknown

Vendors

  • microsoft

Products

  • sql server 2012,
  • sql server 2014,
  • sql server 2016

Exploited in the Wild

Reported by:
Technical Analysis