Sharepoint Exploitation Details and PoC Published Before Patch Release

In mid-July 2020, Microsoft found and addressed a critical Remote Code Execution (RCE) vulnerability in .NET Framework, Microsoft SharePoint, and Visual Studio. But within a short duration, exploitation details and a Proof-of-Concept (POC) was published online, increasing the risks of exploitation of yet unpatched servers.


Exploitation potential

In July, security expert Steven Seeley published technical details of the flaw, tracked as CVE-2020-1147, along with the POC exploit that abuses SharePoint servers.
  • The vulnerability exists in two .NET components (DataSet and DataTable) due to the lack of check of the source markup of XML file input.
  • An attacker can successfully exploit the vulnerability and run arbitrary code in the context of the process where deserialization of XML content occurs.
  • The vulnerability impacts SharePoint Enterprise Server 2016 and 2013 Service Pack 1, SharePoint Server 2019 and 2010 Service Pack 2, .NET Core 2.1, .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2 to up to 4.8, Visual Studio 2017 version 15.9, and Visual Studio 2019 versions 16.0, 16.4 and 16.6.


Recent attacks on SharePoint 

Recently, several hackers were seen targeting other RCE vulnerabilities, particularly CVE-2019-0604, affecting Microsoft SharePoint.
  • In June 2020, attackers had exploited the vulnerability (CVE-2019-0604) to obtain privileges to Australian organizations using the Juicy Potato and RottenPotatoNG utilities.
  • In February 2020, threat actors exploited CVE-2019-0604 to install several web shells on the website of a Middle Eastern government organization.
  • In January 2020, it was found that hackers managed to break into more than40 United Nations servers in offices in Geneva and Vienna in July 2019, by exploiting the vulnerability (CVE-2019-0604).


The bottom line

The release of PoC exploit could trigger a series of attacks against SharePoint servers. For these reasons, administrators are recommended to install the available patches as soon as possible. Further, Microsoft also published additional guidance related to the vulnerability.