Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Sign in to follow this  
Robbie Wiggins

CVE-2019-0604 SharePoint unauthenticated RCE redux

Recommended Posts

Any one got a way to fingerprint a vuln site loads error out when hitting the right endpoint and one or two are blank.

 


Sorry, something went wrong
Could not load type 'Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog' from assembly 'Microsoft.SharePoint, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c'.
Technical Details

Any one able to confirm?

 

Endpoint to hit should be 

/_layouts/15/picker.aspx?PickerDialogType=Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog

 

Edited by Robbie Wiggins

Share this post


Link to post

So I saw some exploitation of this in wild yesterday, looks like:

Quote

GET /_layouts/15/Picker.aspx - 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 359
GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 312
POST /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 84.16.244.47 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 1312
GET /_layouts/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 302 0 0 46
GET /_layouts/15/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 374
GET /_layouts/15/Picker.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 31
GET /_layouts/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 302 0 0 281
GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 421
GET /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 578
POST /_layouts/15/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 468
GET /_layouts/15/downloadexternaldata.aspx - 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 10578
POST /_layouts/Picker.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 200 0 0 8984
GET /_layouts/15/downloadexternaldata.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 93
POST /_layouts/15/downloadexternaldata.aspx PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c 80 - 82.102.21.249 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:70.0)+Gecko/20100101+Firefox/70.0 - 401 0 0 124

Obviously the POST statements aren't there.

Triggers code execution like this:

image.thumb.png.061734e76cad7e208cb0f65cbbbd8925.png

Edited by Kevin Beaumont
image didn't embed

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy