Details and PoC for critical SharePoint RCE flaw released

Last week, a “wormable” remote code execution flaw in the Windows DNS Server service (CVE-2020-1350) temporarily overshadowed all the other flaws patched by Microsoft on July 2020 Patch Tuesday, but CVE-2020-1147, a RCE affecting Microsoft SharePoint, was also singled out as critical and requiring a speedy fix.

CVE-2020-1147

Implementing the offered security updates has since become even more urgent, as more exploitation details and a PoC have been released on Monday.

About CVE-2020-1147

CVE-2020-1147 is found in two .NET components (DataSet and DataTable) used to manage data sets, and affects Microsoft SharePoint, .NET Framework, and Visual Studio.

The vulnerability is triggered when the software fails to check the source markup of XML file input.

“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. To exploit this vulnerability, an attacker could upload a specially crafted document to a server utilizing an affected product to process content,” Microsoft explained, and provided security updates for:

  • .NET Core
  • .NET Framework
  • SharePoint Enterprise Server (2013 and 2016)
  • SharePoint Server (2010 and 2019)
  • Visual Studio (2017 and 2019).

“Full protection requires the installation of the .NET Framework update as well as updates for any additional affected products mentioned in this article,” the company stressed.

The vulnerability was reported by Oleksandr Mirosh from Micro Focus Fortify, Jonathan Birch of Microsoft Office Security Team, and Markus Wulftange of Code White GmbH.

Exploitation potential

Information security specialist and prolific bug hunter Steven Seeley decided to probe how the vulnerability might be exploited and recently shared how it can be leveraged against a SharePoint Server instance to achieve RCE as a low privileged user. He also provided a PoC.

“Microsoft rate this bug with an exploitability index rating of 1 and we agree, meaning you should patch this immediately if you haven’t. It is highly likley that this gadget chain can be used against several applications built with .net so even if you don’t have a SharePoint Server installed, you are still impacted by this bug,” he noted.

The call for immediate patching has been echoed by other security researchers:

Vulnerabilities in Microsoft SharePoint, a web-based collaborative platform that integrates with Microsoft Office and usually houses a lot of sensitive data, have lately been an attractive target for hackers.

Hackers are compromising vulnerable ManageEngine Desktop Central instances

Is your organization using ManageEngine Desktop Central? If the answer is yes, make sure you’ve upgraded to version 10.0.474 or risk falling prey to attackers who are actively exploiting a recently disclosed RCE flaw (CVE-2020-10189) in its software.

About ManageEngine Desktop Central

ManageEngine Desktop Central is developed by ManageEngine, a division of Zoho Corporation, an software development company that focuses on web-based business tools and information technology.

Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to centrally control servers, laptops, smartphones, and tablets.

About the vulnerability (CVE-2020-10189)

CVE-2020-10189 allows for deserialization of untrusted data and allows unauthenticated, remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central and achieve SYSTEM/root privileges.

This would allow them to install malicious programs or push malicious updates onto the managed devices, lock them, and so on.

The vulnerability affects Desktop Central versions prior to 10.0.474 and was unearthed by Steven Seeley of Source Incite, who revealed its existence publicly last week through a tweet and security advisory that also links to PoC exploit code.

At the time, the vulnerability was a zero-day (unknown to and unaddressed by the vendor), since Seeley didn’t share his findings with Zoho/ManageEngine prior to the advisory’s publication – ostensibly because “Zoho typically ignores researchers.”

A day later ManageEngine issued a security update (v10.0.479) to correct the flaw and offered mitigation advice.

The danger

Nate Warfield, senior security program manager at Microsoft, used the Shodan search engine to find some 2,300 publicly accessible Desktop Central instances.

But even instances that aren’t exposed externally can be exploited by attackers who have achieved access to the target organization’s through another security hole, allowing them to broaden their presence.

Finally, since the solution is often used by managed service providers (MSPs), compromised Desktop Central instances could result in the simultaneous compromise of many client organizations’ endpoints and, through them, networks.

Organizations who use ManageEngine Desktop Central should upgrade to a safe version as soon as possible.