Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to reproduce the SharePoint 2019 XSS loophole CVE-2020-1456. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Words written in the front

We will analyze a security vulnerability in SharePoint 2019. Although this vulnerability is not a typical JavaScript XSS, Microsoft defines this vulnerability as a XSS vulnerability.

The user configuration options supported by the internally deployed SharePoint 2019 server will allow authenticated users to upload pictures, while the path to the uploaded image in the user profile can be changed in the save dialog request. Here, we can insert any link into it, which will allow us to attack any user who accesses the user's profile picture page. Due to the high occurrence rate of user profile images in SharePoint, it may lead to a variety of attack scenarios, such as DoS, user tracking, attack relay and so on. Currently, this vulnerability is classified as a cross-site scripting vulnerability (XSS), and the assigned vulnerability number is CVE-2020-1456.

Environment configuration Windows Server

Windows Server 2019 Evaluation

Version: 1809

OS build: 17763.379

Windows update: 09 12:13PM 09 12:13PM

Add active Directory Domain Service

SQL Server

Install MS SQL Server 2017 Evaluation Edition

Installation type: basic installation

Installer version: 14.1805.40.72.1

Database version: 14.0.1000.169

Install Microsoft SQL Server Management Studio Release 18.2

SharePoint 2019

SharePoint Server 2019 (installation version 16.0.10337.12109)

Use Passmark OSFMount (v3.0.1005.0) to save the IMG file as ISO

Install SharePoint in Single-Server mode

Add a User Profile Service application

Vulnerability rating

Vulnerability category: the input data provided by the user is not filtered correctly and effectively.

CVSS 2: 6.5 (medium risk)

CVSS 3.1with a score of 6.5 (medium risk)

Detailed description of vulnerability recurrence

In the process of testing the SharePoint application, I also partially tested SharePoint itself. In SharePoint settings with user profiles enabled, each user can upload personal pictures of the user. After uploading the picture, you can view it in the user profile, and then finally accept the picture and permanently save the changes, including all other entries.

After saving all the changes, SharePoint executes a POST request and shows the user the changes:

Http://192.168.0.151/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed-70db-4158-a332-4dfd683b4148&ReturnUrl=http%3a%2f%2f192.168.0.151%2fPerson.aspx%3faccountname%3d%3C span%20style=%22background-color:%20#fcbd00%22%3Epoint%3C/span%3E%255C%3Cspan%20style=%22background-color:%20#fcbd00%22%3Eshareuser%3C/span%3E&changephoto=1

The request also contains the following parameters:

Ctl00 $PlaceHolderMain$ProfileEditorEditPictureURL

This parameter stores the path of the uploaded user profile image and encodes the URL:

The parameters and values encoded by URL are as follows:

Ctl00%24PlaceHolderMain%24ProfileEditorEditPictureURL=http%3A%2F 2F192.168.0.151%3A80%2FUser%2520Photos%2FProfilbilder%2Fpoint_shareuser_Mthumb.jpg

The plaintext parameters and values are as follows:

Ctl00 $PlaceHolderMain$ProfileEditorEditPictureURL= http://192.168.0.151:80/User%20Photos/Profilbilder/point_shareuser_Mthumb.jpg

We can intercept the POST request and change the parameter value to "http://123.itsec.de/random.png"." Because the server accepts user-provided input, we can embed custom URL in locally stored images.

The modified parameter values are as follows:

Ctl00 $PlaceHolderMain$ProfileEditorEditPictureURL= http://123.itsec.de/random.png

The inserted URL is already embedded, and at this point, the link provides a "picture file" with the size of 1GB. We can see that the browser will request our "picture file".

By analyzing the src parameter of the-img tag in HTML, we can identify embedded links directly in the source code of the web page.

Whenever a user visits these user profile pages with embedded links that contain user images, the browser opens the embedded links in the background. This will allow the attacker to track the target user and generate a large amount of traffic in the network, or induce the target device to perform the attack that the attacker wants.

The above is the editor for you to share how to reproduce the SharePoint 2019 XSS vulnerability CVE-2020-1456, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.