Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to understand the Microsoft SharePoint remote code execution vulnerability CVE-2020-16952. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

1. Summary of vulnerabilities

On October 14, 2020, Beijing time, Microsoft MSRC issued an announcement of CVE-2020-16952, a remote code execution vulnerability in Microsoft SharePoint server, and the detailed exploitation process of the vulnerability was made public on the same day. We are convinced that the security research team assesses vulnerabilities based on their importance and impact and issues vulnerability announcements.

Vulnerability name

Microsoft SharePoint remote code execution vulnerability CVE-2020-16952

Threat level

High risk

Scope of influence

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Server 2019

Vulnerability type

Remote code execution vulnerability

Utilization difficulty

General

II. Vulnerability Analysis 2.1 introduction of related components

SharePoint Server is a portal server for enterprises developed by Microsoft, which can seamlessly connect to users. Let each project team, department and department to achieve teamwork. Share files, data, information, and resources. The front end is an ASP.NET website running on Internet Information Services 6.0.The back end is used by SQL Server or MSDE to store data.

2.2 vulnerability analysis 2.2.1 general process of vulnerability exploitation

First, the poc.aspx file used to disclose information can be uploaded through put, and then the ValidationKey (the key for configuring the ASP.NET application in web) can be leaked through a specific request. When .net turns on ViewState MAC authentication, you need to authenticate by providing ValidationKey. Finally, the command can be executed by sending a specific request with the leaked ValidationKey.

2.2.2 causes of vulnerabilities

Decompiling the Microsoft.SharePoint.WebPartPages.DataFormWebPart code, you can observe the CreateChildControls function. The following code for the function is the logic for handling EnsureDataBound:

This code performs data binding and accesses data from the data source. The data returned must be a valid xml so that it can be processed by an attacker's carefully crafted xslt.

Next, at the code of DataFormWebPart.RunatChecker.IsMatch, check the instance of `runat = server` in xml.

Later, in the following code, due to the incorrect call to `VerifyControlOnSafeList`, the user can populate the _ partContent with valid xml:

Then parse through ParseControl:

Then add it to the page with the following code

The above is the processing logic of the entire vulnerability code, which can be executed through the deserialization tool:

Here are the technical explanations used for this vulnerability:

ViewState:NET Web applications use ViewState to maintain page state and save data as Web. The ViewState parameter is an base64 serialization parameter and is usually sent through a hidden parameter called by the _ _ VIEWSTATEPOST request. This parameter is deserialized on the server side to retrieve data.

2.3 recurrence of vulnerabilities

Set up the Microsoft SharePoint Enterprise Server 2016 environment and send carefully constructed data to the server running Microsoft SharePoint Enterprise Server 2016. The background calculator process has been started, and the effect is as follows.

III. Scope of influence

Affected version:

Microsoft SharePoint Foundation 2013 Service Pack 1

Microsoft SharePoint Enterprise Server 2016

Microsoft SharePoint Server 2019

IV. Solution

At present, the manufacturer has fixed this vulnerability in the latest version. Please update the security patch in time and download the link:

Https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16952

On the Microsoft SharePoint remote code execution vulnerability CVE-2020-16952 how to understand how to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.