Vulnerabilities > CVE-2010-3964 - Unspecified vulnerability in Microsoft Sharepoint Server 2007

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
metasploit
NVD
Published: 2010-12-16
Updated: 2018-10-12

Summary

Unrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, aka "Malformed Request Code Execution Vulnerability." Additional information from Microsoft can be found here: http://blogs.technet.com/b/srd/archive/2010/12/14/ms10-104-sharepoint-2007-vulnerability.aspx Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type'

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Exploit-Db

descriptionMicrosoft Office SharePoint Server 2007 Remote Code Execution. CVE-2010-3964. Remote exploit for windows platform
idEDB-ID:20122
last seen2016-02-02
modified2012-07-31
published2012-07-31
reportermetasploit
sourcehttps://www.exploit-db.com/download/20122/
titleMicrosoft Office SharePoint Server 2007 - Remote Code Execution

Metasploit

descriptionThis module exploits a vulnerability found in SharePoint Server 2007 SP2. The software contains a directory traversal, that allows a remote attacker to write arbitrary files to the filesystem, sending a specially crafted SOAP ConvertFile request to the Office Document Conversions Launcher Service, which results in code execution under the context of 'SYSTEM'. The module uses the Windows Management Instrumentation service to execute an arbitrary payload on vulnerable installations of SharePoint on Windows 2003 Servers. It has been successfully tested on Office SharePoint Server 2007 SP2 over Windows 2003 SP2.
idMSF:EXPLOIT/WINDOWS/MISC/MS10_104_SHAREPOINT
last seen2020-03-25
modified2017-07-24
published2012-07-30
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3964
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/ms10_104_sharepoint.rb
titleMS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution

Msbulletin

bulletin_idMS10-104
bulletin_url
date2010-12-14T00:00:00
impactRemote Code Execution
knowledgebase_id2455005
knowledgebase_url
severityImportant
titleVulnerability in Microsoft SharePoint Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-104.NASL
descriptionThe version of SharePoint Server 2007 running on the remote host has a remote code execution vulnerability. The Document Conversions Launcher Service does not properly validate SOAP requests before processing them. A remote attacker could exploit this by submitting a specially crafted SOAP request, resulting in arbitrary code execution in the security context of a guest account.
last seen2020-06-01
modified2020-06-02
plugin id51176
published2010-12-15
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/51176
titleMS10-104: Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(51176);
  script_version("1.25");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2010-3964");
  script_bugtraq_id(45264);
  script_xref(name:"EDB-ID", value:"20122");
  script_xref(name:"MSFT", value:"MS10-104");
  script_xref(name:"MSKB", value:"2433089");

  script_name(english:"MS10-104: Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)");
  script_summary(english:"Checks SharePoint version");

  script_set_attribute(attribute:"synopsis", value:"The remote host has a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of SharePoint Server 2007 running on the remote host has a
remote code execution vulnerability. The Document Conversions Launcher
Service does not properly validate SOAP requests before processing
them.

A remote attacker could exploit this by submitting a specially crafted
SOAP request, resulting in arbitrary code execution in the security
context of a guest account.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-104");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for SharePoint Server 2007.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS10-104 Microsoft Office SharePoint Server 2007 Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/12/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sharepoint_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:0);
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, "IPC$");
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  audit(AUDIT_REG_FAIL);
}

path = NULL;

# Determine where it's installed.

key = "SOFTWARE\Microsoft\Office Server\12.0";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);

if (!isnull(key_h))
{
 value = RegQueryValue(handle:key_h, item:"BinPath");
 if (!isnull(value))
   path = value[1];

 RegCloseKey(handle:key_h);
}

RegCloseKey(handle:hklm);
NetUseDel (close:FALSE);

if (!path)
{
 NetUseDel();
 exit(1, 'Unable to get SharePoint Server path');
}

# this file should be included with SharePoint Server 2007, but not
# SharePoint Services (which is not affected)
path += "\Microsoft.Office.Server.Conversions.Launcher.exe";



get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS10-104';
kbs = make_list("2433089");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
dll =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:path);

r = NetUseAdd(share:share);
if ( r != 1 )
{
 NetUseDel();
 audit(AUDIT_SHARE_FAIL, share);
}

handle = CreateFile (file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);


kb = "2433089";
if ( ! isnull(handle) )
{
  v = GetFileVersion(handle:handle);
  CloseFile(handle:handle);
  if ( ! isnull(v) )
  {
    fix = '12.0.6547.5000';
    if (v[0] == 12 && ver_compare(ver:v, fix:fix) == -1)
    {
      info =
        '\n  Product           : Sharepoint Server 2007' +
        '\n  Path              : ' + path +
        '\n  Installed version : ' + join(v, sep:'.') +
        '\n  Fix               : ' + fix + '\n';
      set_kb_item(name:"SMB/Missing/MS10-104", value:TRUE);
      hotfix_add_report(info, bulletin:bulletin, kb:kb);
      hotfix_security_hole();
      exit(0);
      # never reached
   }
  }
}

NetUseDel();

exit(0, 'The host is not affected.');

Oval

accepted2011-01-24T04:00:07.602-05:00
classvulnerability
contributors
nameJosh Turpin
organizationSymantec Corporation
definition_extensions
commentMicrosoft Office SharePoint Server 2007 is installed.
ovaloval:org.mitre.oval:def:2313
descriptionUnrestricted file upload vulnerability in the Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2, when the Document Conversions Load Balancer Service is enabled, allows remote attackers to execute arbitrary code via a crafted SOAP request to TCP port 8082, aka "Malformed Request Code Execution Vulnerability."
familywindows
idoval:org.mitre.oval:def:11737
statusaccepted
submitted2010-06-08T13:00:00
titleMalformed Request Code Execution Vulnerability
version7

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/115099/ms10_104_sharepoint.rb.txt
idPACKETSTORM:115099
last seen2016-12-05
published2012-07-30
reporterJames Burton
sourcehttps://packetstormsecurity.com/files/115099/Microsoft-Office-SharePoint-Server-2007-Remote-Code-Execution.html
titleMicrosoft Office SharePoint Server 2007 Remote Code Execution

Saint

bid45264
descriptionMicrosoft SharePoint Office Document Load Balancer SOAP Vulnerability
idwin_patch_sharept200710104
osvdb69817
titlems_sharepoint_file_upload_via_malformed_soap
typeremote

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 45264 CVE ID: CVE-2010-3964 SharePoint Server是一个服务器功能集成套件,提供全面的内容管理和企业搜索,加速共享业务流程并简化跨界限信息共享。 Sharepoint实现上存在漏洞,远程攻击者可以利用此漏洞通过请求注入命令到服务器上执行。 此漏洞源于处理发送到Document Conversions Launcher服务的SOAP请求时出现验证错误,可通过上传的特制请求导致在受影响的服务器上执行任意命令。 Microsoft SharePoint Server 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-104)以及相应补丁: MS10-104:Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005) http://www.microsoft.com/technet/security/bulletin/MS10-104.asp
idSSV:20298
last seen2017-11-19
modified2010-12-19
published2010-12-19
reporterRoot
titleMicrosoft SharePoint畸形SOAP请求远程代码执行漏洞(MS10-104)

References