Critical SharePoint Flaw Dissected, RCE Details Now Available
Details are now available for exploiting a critical security vulnerability that affects Microsoft SharePoint, increasing the risk of attacks on unpatched systems.
A technical blog post this week explains how the bug works and how a low-privileged user can leverage it to run arbitrary code remotely on a target SharePoint server.
Also read: 7 Client Data Protection Tips to Keep Customers Safe
Hurry up and patch
The flaw received the tracking number CVE-2020-1147 (severity 9.8 out of 10) and also impacts .NET Framework and Visual Studio. Microsoft released a fix in this month’s rollout of security updates
Security researcher Steven Seeley provides a complete root cause analysis of the issue and how it can be exploited to achieve remote code execution on a vulnerable SharePoint server.
At the heart of it, the bug is a failure to check the source markup of the XML file input, allowing an attacker to run code of their choice in the context of the process in charge of XML content deserialization.
On his site, Seeley goes through all the steps required to create the code that enables the execution of a system command and abusing the controls that allow doing it remotely.
Seeley’s analysis is intended to help “understand the underlying technology.” It can be used to build a fully working attack script but it does not provide an exploit that can be used to deploy an attack.
Nevertheless, organizations should prioritize applying the patch. Microsoft’s exploitability assessment is that CVE-2020-1147 is an attractive target for threat actors, who could leverage it consistently.
“Microsoft rate this bug with an exploitability index rating of 1 and we agree, meaning you should patch this immediately if you haven’t. It is highly likely that this gadget chain can be used against several applications built with .net so even if you don’t have a SharePoint Server installed, you are still impacted by this bug.” Steven Seeley
Ben Hawkes, leader of Google’s Project Zero security research team, argues that this issue is a greater risk than the more publicized Windows DNS wormable vulnerability.
“Empirically deserialization RCEs are way more likely to see malicious exploitation compared to memory corruption bugs that weren’t exploited in the wild prior to patch” – Ben Hawkes, Google Project Zero Team Lead
Microsoft credits Oleksandr Mirosh from Micro Focus Fortify, Jonathan Birch of Microsoft Office Security Team, and Markus Wulftange for discovering CVE-2020-1147. They found and reported the vulnerability independently.
Also read: Privacy policy template important tips for your business
0 Comments