Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-16952)

On Oct 14th, 2020, Microsoft issued a security advisory addressing CVE-2020-16952, a Remote Code Execution vulnerability in Microsoft SharePoint Servers with a CVSS score of 7.3 and severity marked as Critical.

Vulnerability Details:

Security researcher Steven Seeley (mr_me) of the Qihoo 360 Vulcan Team discovered and reported the Authenticated Remote Code Execution vulnerability (CVE-2020-16952). This vulnerability is caused due to lack of proper validation in the source markup of an application package.

The flaw was reported in the DataFormWebPart class due to lack of proper validation of user-supplied input. Exploitation of this vulnerability requires an attacker to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. Successful exploitation of this vulnerability allows attackers to run arbitrary code in context of the SharePoint application pool and SharePoint server farm account.

Recently, Steven Seeley published a proof-of-concept (PoC) exploit for CVE-2020-16952. A Metasploit module will also be released soon. According to experts, SharePoint servers are widely used in enterprise environments, and hence, these vulnerabilities are considered dangerous for an organization. NCSC has also urged organizations to patch CVE-2020-16952 as soon as possible.

Affected Products:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2019

Exploitation:

According to the PoC shared, here are some pre-requisites for the exploit to work:

AddAndCustomizePages permission must be enabled.
• Compile and store ysoserial.net in the same folder of PoC.

You can check SharePoint versions from the below request (Authentication required)

PUT /poc.aspx HTTP/1.1
Host: [target]
Content-Length: 67

<asp:Literal runat="server" Text="<%$SPTokens:{ProductNumber}%>" />

The target https://[target]/poc.aspx should return the Sharepoint version.

Run the exploit in this format: "./poc.py <SPSite> <user:pass> <cmd>"
@DESKTOP-H4JDQCB:~$ ./poc.py win-3t816hj84n4 ha****@pw*.me:user123### notepad

(+) leaked validation key: 55AAE0A8E646746523FA5EE0675232BE39990CDAC3AE2B0772E32D71C05929D8
(+) triggering rce, running 'cmd /c notepad'
(+) done! rce achieved

Remediation:

Microsoft has released an official advisory mentioning the patches for the affected products. Customers are recommended to install the available patches as soon as possible.

Detection:

Qualys customers can scan their network with QID 110363 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on these vulnerabilities.

References and Sources:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
https://srcincite.io/advisories/src-2020-0022/
https://srcincite.io/pocs/cve-2020-16952.py.txt

Leave a Reply

Your email address will not be published. Required fields are marked *