SharePoint CVE-2019–0604 RCE Exploitation
This vulnerability affects most versions of Microsoft SharePoint 2019, 2016, 2013 and 2010. Microsoft initially released a patch in February but then realized that the vulnerability still existed for some conditions and released another patch to finally mitigate the vulnerability.
Basically this vulnerability is caused by uncontrolled deserialization of data coming from outside the application. Thus the attacker becomes able to inject an object of his/her control into the web application code flow and achieves code execution.
Many details (function stack trace/entry points/name of vulnerable functions) on this vulnerability have been disclosed by Zero Day Initiative in March and the writing is publicly accessible. Moreover, there is a basic POC code on Github that directly uses SharePoint dynamic library to show the deserialization part of the vulnerability. To the best of our knowledge there were no publicly available ready-to-use exploit codes at the time of this writing. The main reason for this writing is that although this vulnerability is being exploited in the wild, it is shown as not publicly disclosed / not exploitable by vulnerability scanners and resources on the Internet. Tenable is showing the vulnerability as not exploitable, SecurityFocus states there are no known exploits, Microsoft MSRC states the exploit is not publicly disclosed etc. However, it is possible to craft an exploit for this vulnerability by inspecting the vulnerable SharePoint library and utilizing the detailed explanation by ZDI.
In order to show the effect of this vulnerability I have developed a simple exploit code. It is possible to see the exploitation below. Each time the exploit is run, it sends a request to the SharePoint server and a calculator process is spawned.
The privilege of code execution depends on the account SharePoint application is running with. In the below example, the crafted exploit code is weaponized to carry a Cobalt Strike payload. You can see the spawned powershell process in the target system task manager just before the start of beacon connection.
As this vulnerability makes it possible to execute code over HTTP requests on the SharePoint servers with most versions from 2010 to 2019 and since the exploitation is relatively complication free, it poses a high security risk.
If you have not applied it already, you should apply the patch that Microsoft has released in March as soon as possible to internet facing SharePoint servers.
10.05.2019 Edit: There is more information about this vulnerability being exploited in the wild:
