Looking Back at the Impact of CVE-2019-0604: A SharePoint RCE

December 18, 2019 | The ZDI Research Team

This is the third in our series of Top 5 interesting cases from 2019. Each of these bugs has some element that sets them apart from the more than 1,000 advisories released by the program this year. This blog takes a look at the impact of a previously blogged about remote code execution bug in Microsoft SharePoint.


Today’s installment of the Top 5 bugs of 2019 may look a bit familiar if you’re a long time reader of this blog. The bug is definitely one of the best we’ve seen this year, but we have already disclosed the technical details. The bug is a remote code execution bug in Microsoft SharePoint. You can read the original post here. This was originally reported to us by Markus Wulftange, and he provided the original analysis as well. Microsoft patched this in February of this year. Since that time, we’ve seen active attacks using this bug, and the impact of those attacks make this vulnerability even more intriguing.

To demonstrate how effective this bug can be, here’s a quick video showing the proof-of-concept (PoC) in action:

The specific flaw exists within the EntityInstanceIdEncoder class located in both the Microsoft.SharePoint.dll and Microsoft.SharePoint.Portal.dll. These classes both utilize the XmlSerializer class to reconstruct an object from attacker supplied data in a way that is known to be vulnerable and can be exploited to achieve arbitrary code execution. Originally, it was believed that authentication was required to exploit this vulnerability, but it has subsequently been reported by some groups that it was possible to reach the vulnerable code without authentication paths via external facing websites.

Trend Micro’s TippingPoint deployed two different filters related to this bug. Although the first public detection occurred on April 23, things really ramped up in October and have remained consistent since then. Here’s a look at the last six months of filter hits from customers who report back telemetry:

Figure 1 - TippingPoint filter hits for CVE-2019-0604 from July to December 2019

Our filters were actually deployed to TippingPoint customers on December 7, 2018 – 67 days before the patch was released by Microsoft. Once the patch was published in February, Marcus let us know it could be easily circumvented as it didn’t completely fix the underlying vulnerability. Kudos to him for spotting the problem quickly. Microsoft re-released the patch in March and added this guidance:

To comprehensively address CVE-2019-0604 Microsoft is releasing the following security updates: 4462199 for Microsoft SharePoint Server 2019, 4462211 for Microsoft SharePoint Enterprise Server 2016, 4462202 for Microsoft SharePoint Foundation 2013 Service Pack 1, and 4462184 for Microsoft SharePoint Server 2010 Service Pack 2. Microsoft recommends that customers running these versions of SharePoint Server install the updates to be protected from this vulnerability.

To say the least, it’s not a straight-forward, auto-update type of fix.

We weren’t the only ones detecting this bug in the wild. While Bluekeep may have soaked up more headlines, honeypots designed to catch active SharePoint exploitation were seeing hits on this as well, with detections as far back as May of this year. According to researchers working with the Canadian Centre for Cyber Security, they were able to identify compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors.  Along with the alert from Canada, Saudi Arabia’s National Cybersecurity Authority (NCA) indicated that they observed a spike in scanning activities on this specific vulnerability shortly after the release of the patch. Similarly, the UK’s National Cyber Security Center reported a high number of successful attacks targeting organizations in the United Kingdom. Clearly, this bug was making the rounds.

Conclusion

In our predictions for 2020, we listed deserialization bugs as an exploit trend that would carry into the new year. This bug was one of the reasons we think that class of bugs will continue to be popular among attackers. This bug class offers attackers some added benefits in that, based on their nature, the resulting exploit is extremely reliable and does not require the attacker to corrupt memory and bypass many of the exploit mitigations that have been implemented over the years. Of course, this isn’t the only deserialization bug in SharePoint, and they aren’t limited to just SharePoint. We’ve seen them in Microsoft Exchange, we’ve seen them used at Pwn2Own, and it wouldn’t surprise us if they continue to be submitted to the program. We certainly hope so.

Stay tuned for the next Top 5 bug blog, which will be released tomorrow. Until then, follow the team for the latest in exploit techniques and security patches.