Image Credit: threatpost.com
A remote code execution vulnerability exists in Microsoft SharePoint. This vulnerability, tracked as CVE-2019-0604 was reported by Markus Wulftange. This vulnerability was rated critical. However, no exploits were seen at the time of release.
Now, a number of organizations reported active exploits of this vulnerability in regions of Canada and Middle East where the initial infection was achieved using a China Chopper web-shell. AlienLabs found malware samples (https://pastebin.com/bUFPhucz) that could be an earlier version of the malware which is capable of executing commands and also uploading or downloading files. Reports indicate that this malware linked to FIN7 group.
Microsoft explains that this vulnerability exists due to the failure of the software to check the source markup of an application package which allows an attacker to execute arbitrary code on the affected machine. But it is also required that a user uploads a specially crafted SharePoint application package for the exploitation to be successful.
Markus explained in a detailed blog that this vulnerability can be exploited using the EntityInstanceIdEncoder type from the Microsoft.SharePoint.Portal.dll with the Picker.aspx.
The products affected by this vulnerability are :
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2010 Service Pack 2
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Server 2010 Service Pack 2
- Microsoft SharePoint Server 2013 Service Pack 1
- Microsoft SharePoint Server 2019
An attacker can run arbitrary code in the context of the affected application.
Please refer to this KB article.