Skip to content
Nuclei Templates

Microsoft SharePoint - Remote Code Execution

ID: CVE-2020-16952

Severity: high

Author: dwisiswant0

Tags: cve,cve2020,msf,sharepoint,iis,microsoft,ssi,rce

Description

Section titled “Description”

Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package.

YAML Source

Section titled “YAML Source”
id: CVE-2020-16952


info:
  name: Microsoft SharePoint - Remote Code Execution
  author: dwisiswant0
  severity: high
  description: Microsoft SharePoint is vulnerable to a remote code execution when the software fails to check the source markup of an application package.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system, potentially leading to a complete compromise of the SharePoint server.
  remediation: |
    Apply the latest security updates provided by Microsoft to address this vulnerability.
  reference:
    - https://srcincite.io/pocs/cve-2020-16952.py.txt
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
    - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
    - https://nvd.nist.gov/vuln/detail/CVE-2020-16952
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
    cvss-score: 8.6
    cve-id: CVE-2020-16952
    cwe-id: CWE-346
    epss-score: 0.90937
    epss-percentile: 0.98837
    cpe: cpe:2.3:a:microsoft:sharepoint_enterprise_server:2016:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: sharepoint_enterprise_server
  tags: cve,cve2020,msf,sharepoint,iis,microsoft,ssi,rce


http:
  - method: GET
    path:
      - "{{BaseURL}}"


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "15\\.0\\.0\\.(4571|5275|4351|5056)"
          - "16\\.0\\.0\\.(10337|10364|10366)"
          # - "16.0.10364.20001"
        condition: or


      - type: regex
        part: header
        regex:
          - "(?i)(Microsoftsharepointteamservices:)"


      - type: status
        status:
          - 200
          - 201
        condition: or
# digest: 490a0046304402200a17f13b33972bbd1440d5ec8fcc870ccd6b0fd5c033f3d82693389583641332022036aa5c2f5fc1bee0f345db15a50507a060f014105cec2a86325c2655ebe46cc4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-16952.yaml"

View on Github