Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ CVE-2020-1181: SharePoint Remote Code Execution Through Web Parts

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š CVE-2020-1181: SharePoint Remote Code Execution Through Web Parts


๐Ÿ’ก Newskategorie: Hacking
๐Ÿ”— Quelle: thezdi.com

Last week, Microsoft released a patch to correct CVE-2020-1181 โ€“ a remote code execution bug in the supported versions of Microsoft SharePoint Server. This bug was reported to the ZDI program by an anonymous researcher and as is also known as ZDI-20-694. This blog takes a deeper look at the root cause of this vulnerability.

Before this patch being made available, SharePoint Server allowed an authenticated user to execute arbitrary .NET code on the server in the context and permissions of the service account of the SharePoint Web Application. For an attack to succeed, the attacker should have Add and Customize Pages permissions on the SharePoint site. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.

High-Level Description of The Vulnerability

Microsoft SharePoint Server allows users to create web pages, but to prevent abuse, it places strict limits on what components can appear on those pages. The SharePoint server treats its โ€œownโ€ pages and user-defined pages in different ways. SharePointโ€™s โ€œownโ€ pages are stored on the file system and are excluded from all restrictions. User pages are stored in a database and are subject to restrictions. Some of these restrictions include the inability to use code blocks or include files from the file system. They typically can use only allowed web controls from a predefined list.

If a user creates a new page via upload, it will be restricted as usual. However, if the new page is instead created by going through the SharePoint web editor, it will be considered as โ€œghostedโ€ and will be treated as a trusted source. This makes sense, because the SharePoint web editor places restrictions on what components can be added to a page, so the page can be run safely in unrestricted mode.

The vulnerability occurs because one type of Web Part permitted by the editor is a type called WikiContentWebpart, and this Web Part allows inclusion of arbitrary ASP.NET markup. This provides a route for an attacker to have arbitrary ASP.NET markup run in unrestricted mode, leading to remote code execution.

Examining the Vulnerable Code

SharePoint uses SPPageParserFilter to block all dangerous content. Letโ€™s review how SPPageParserFilter is initialized:

If we created our page by using the SharePoint Web Editor, it will have IsGhosted = true and _isAppWeb will be set to false. Note that there is an additional check to ensure there is no dependency file with a lower trust level:

However, we have not added any such file, so we should be good here and pass this check. As a result, GetEffectivePageParserSettings() will return PageParserSettings.GhostedPageDefaultSettings:

As a result, our page will have compilationmode=Always, allowServerSideScript=true and allowUnsafeControls=true. Now letโ€™s take a closer look at WikiContentWebpart:

This means content from its parameters (Directive and Content) will be parsed by ParseControl(text2, false). The second parameter (false) will force the use of PageParserFilter, but it will be used with PageParserSettings.GhostedPageDefaultSettings.

Because the ParseControl() method never causes compilation, we cannot specify .NET code directly. However, we can use dangerous controls from within SharePoint to invoke arbitrary methods and get code execution. Hereโ€™s an example of a configuration of WikiContentWebpart that will run an arbitrary OS command:

Proof-of-Concept

For our demonstration, we used a Microsoft SharePoint 2019 Server with all default options installed on a Windows Server 2019 Datacenter edition system. We assigned it the name sp2019.contoso.lab and made it a member of the contoso.lab domain. Our domain controller is on a separate virtual machine. Our target machine had all available patches installed as of February 2020, which puts it at version 16.0.10355.20000.

Our attacker system simply needs any supported web browser. In the screenshots below, weโ€™re using Mozilla Firefox 69.0.3. Weโ€™ll also use a custom WikiContentWebpart similar to the example above. We have named ours WikiContentRCE.xml .

Letโ€™s visit our SharePoint Server and authenticate as a regular user. In this example, it is user2 :

Picture1.png
Picture2.png

Letโ€™s create a site so that we will be the owner and have full permissions.ย 

Click on โ€œSharePointโ€ on the top panel:

Picture3.png

Click on theย โ€œ+ Create siteโ€ย link:

Picture4.png

Chooseย Team Site. Now we need to pick a name for the new site. In this example, it isย testsiteofuser2.

Picture5.png

Click โ€œFinishโ€ and the new site will be created:

Picture6.png

Now letโ€™s click on the โ€œPagesโ€ย link:

Picture7.png

We need to switch toย Classic View. To do this, just click on the โ€œReturn to classic SharePointโ€ link on the bottom left corner:

Picture8.png

ย Click on โ€œ+ Newโ€ and choose any name for our new page. In this example, we called itย newpage1:

Picture9.png

Click on theย Createย button to confirm.ย 

Picture10.png

Now we need to chooseย Web Partย on theย INSERTย tab:

Picture11.png

In the dialog window, select the โ€œUpload Web Partโ€ link on the bottom left corner and upload the craftedย WikiContentRCE.xml file:ย 

Picture12.png

Clickย Upload. You may receive a pop-up warning stating, โ€œThis page is asking you to confirm that you want to leave - data you have entered may not be saved.โ€ Just confirm by clicking on the โ€œLeave Pageโ€ button. We then return to the main editing view:

Picture13.png

We need to choose theย Web Partย widget on theย INSERTย tab again. It will have our imported crafted Web Part:ย 

Picture14.png

Before we click on theย Addย button, letโ€™s go to the target SharePoint server and open theย C:\windows\tempย folder:

Picture15.png

Notice there is noย RCE_PoC.txtย file.ย 

Now letโ€™s go back to the attacker machine and add our imported Web Part to the page:

Picture16.png

Letโ€™s check theย C:\windows\tempย folderย on our target server again:

Picture17.png

In this way, our attacker can execute any OS command and compromise the server. They just need to replace echo pwned > c:/windows/temp/RCE_PoC.txt string in WikiContentRCE.xml file with their desired command.

Conclusion

In their patch documentation, Microsoft gave this vulnerability an Exploit Index (XI) rating of 2, which means they felt exploitation of this bug is unlikely. However, as demonstrated in our proof of concept section, the exploitation of this bug is quite straightforward for any authenticated user. Because of this, we recommend treating as an XI of 1, which indicates exploitation is likely. According to Microsoft, they addressed this bug by โ€œcorrecting how Microsoft SharePoint Server handles processing of created content.โ€ That does seem like a reasonable path to take in this instance. SharePoint continues to be an attractive target for researchers and attackers alike, and several SharePoint-related disclosures are currently in ourย Upcomingย queue. Stay tuned to this blog for details about those bugs once they are disclosed.

Until then, follow theย teamย for the latest in exploit techniques and security patches.

...



๐Ÿ“Œ SharePoint Updates Coming for Hub Sites, News, Pages, Web Parts


๐Ÿ“ˆ 29.79 Punkte

๐Ÿ“Œ Microsoft Unveils New and Updated SharePoint Web Parts for Users


๐Ÿ“ˆ 29.79 Punkte

๐Ÿ“Œ CVE-2019-1257: Code Execution on Microsoft SharePoint Through BDC Deserialization


๐Ÿ“ˆ 29.65 Punkte

๐Ÿ“Œ CVE-2019-1257: Code Execution on Microsoft SharePoint Through BDC Deserialization


๐Ÿ“ˆ 29.65 Punkte

๐Ÿ“Œ [remote] Microsoft SharePoint - Deserialization Remote Code Execution


๐Ÿ“ˆ 28.61 Punkte

๐Ÿ“Œ #0daytoday #Microsoft SharePoint SSI / ViewState Remote Code Execution Exploit [remote #exploits #0day #Exploit]


๐Ÿ“ˆ 28.61 Punkte

๐Ÿ“Œ Microsoft Office/Office Web Apps/SharePoint Server 2010 SP2 Remote Code Execution


๐Ÿ“ˆ 28.34 Punkte

๐Ÿ“Œ CVE-2019-0604 SharePoint Remote code execution (RCE) vulnerability


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ Microsoft Word/Office/SharePoint Remote Code Execution [CVE-2021-28453]


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ CVE-2021-31181: Microsoft SharePoint WebPart Interpretation Conflict Remote Code Execution Vulnerability


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ CVE-2021-31181: Microsoft SharePoint WebPart Interpretation Conflict Remote Code Execution Vulnerability


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ CVE-2021-28474: SharePoint Remote Code Execution via Server-Side Control Interpretation Conflict


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ CVE-2023-23395 | Microsoft SharePoint Server 2013 SP1/2016/2019 Remote Code Execution


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ CVE-2024-21426 | Microsoft SharePoint Server 2016/2019/Subscription Edition Remote Code Execution


๐Ÿ“ˆ 25.6 Punkte

๐Ÿ“Œ #0daytoday #Microsoft SharePoint - Deserialization Remote Code Execution Exploit [#0day #Exploit]


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint Deserialization Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint Server Application Package Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint Server Application Package Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ [webapps] Microsoft SharePoint Server 2019 - Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint Server 2019 Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint Server 2019 Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ #0daytoday #Microsoft SharePoint Server 2019 - Remote Code Execution Exploit [webapps #exploits #0day #Exploit]


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint SSI / ViewState Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint SSI / ViewState Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ Microsoft SharePoint Unsafe Control And ViewState Remote Code Execution


๐Ÿ“ˆ 24.43 Punkte

๐Ÿ“Œ CVE-2015-6039 | Microsoft SharePoint Server/SharePoint Foundation 2013 SP1 cross site scripting (MS15-110 / MS15-110)


๐Ÿ“ˆ 23.92 Punkte

๐Ÿ“Œ Microsoft SharePoint Enterprise Server/SharePoint Server cross site scripting


๐Ÿ“ˆ 22.74 Punkte

๐Ÿ“Œ Microsoft SharePoint Enterprise Server/SharePoint Server Application Package unrestricted upload


๐Ÿ“ˆ 22.74 Punkte

๐Ÿ“Œ Microsoft SharePoint Enterprise Server/SharePoint Server input validation


๐Ÿ“ˆ 22.74 Punkte

๐Ÿ“Œ #0daytoday #Remote Mouse 4.110 Remote Code Execution Exploit CVE-2022-3365 [remote #exploits #0day #Exploit]


๐Ÿ“ˆ 22.6 Punkte

๐Ÿ“Œ Bugtraq: OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445)


๐Ÿ“ˆ 22.47 Punkte

๐Ÿ“Œ [PRODSECBUG-2403] Remote code execution through crafted Page Builder templates - CVE-2019-8144


๐Ÿ“ˆ 22.47 Punkte

๐Ÿ“Œ [PRODSECBUG-2462] Remote code execution through file upload in Admin import feature (RCE) - CVE-2019-8114


๐Ÿ“ˆ 22.47 Punkte

๐Ÿ“Œ [remote] DameWare Remote Controller <= 12.0.0.520 - Remote Code Execution


๐Ÿ“ˆ 21.43 Punkte











matomo