Image Credit: threatpost.com
A remote code execution vulnerability exists in Microsoft SharePoint. This vulnerability, tracked as CVE-2019-0604 was reported by Markus Wulftange. This vulnerability was rated critical and can be mitigated using a patch management tool. However, no exploits were at the time of release.
Now, a number of organizations reported active exploits of this remote code execution vulnerability in regions of Canada and Middle East where the initial infection achieves using a China Chopper web-shell. AlienLabs found malware samples (https://pastebin.com/bUFPhucz) that could be an earlier version of the malware which is capable of executing commands and also uploading or downloading files. Reports indicate that this malware linked to FIN7 group. However, a patch management solution can patch the vulnerabilities.
Microsoft explains that this vulnerability exists due to the failure of the software to check the source markup of an application package which allows an attacker to execute arbitrary code on the affected machine. But also requires that a user uploads a specially crafted SharePoint application package for the exploitation to be successful.
Markus explained in a detailed blog that this vulnerability can exploit using the EntityInstanceIdEncoder type from the Microsoft.SharePoint.Portal.dll with the Picker.aspx.
The products affected by this vulnerability are :
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2010 Service Pack 2
- Microsoft SharePoint Foundation 2013 Service Pack 1
- Microsoft SharePoint Server 2010 Service Pack 2
- Microsoft SharePoint Server 2013 Service Pack 1
- Microsoft SharePoint Server 2019
However, an attacker can run arbitrary code in the context of the affected application.
Please refer to this KB article.