In the month of February,2020, among MSPT, Microsoft SQL Server Reporting Services had to deal with a remote code execution vulnerability. This happens as it incorrectly handles page requests. The SSRS web application allowed low privileged user accounts to run code on the server by exploiting a deserialization issue.
As a initial part of this vulnerability, an attacker would have to log onto an affected system and send a crafted POST request
An authenticated attacker would need to submit a request as shown above to an affected Reporting Services instance. ReportingServicesWebServer.dll is the vulnerable component. It was possible to trigger this functionality by calling the /ReportServer/pages/ReportViewer.aspx page in an On-Premise a SharePoint server for example.
At Qualys Labs, we’ve tried to recreate the issue reported for CVE-2020-0618. The exploitation can be understood as follows:
Once the HTTP POST request is performed , using ysoserial.exe and Powershell on Windows OS the exploitation can be performed.
Image Source: MDSec
Micorsoft SQL Server 2012
Micorsoft SQL Server 2014
Microsoft has released the following security updates to address this issue:
The patch simply enabled the MAC validation when using the LosFormatter class:
LosFormatter losFormatter = new LosFormatter(true, this.m_viewer.GetUserId());
Qualys customers can scan their network with QID(s)# 91604 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources: