Vulnerability in Microsoft SharePoint Could Allow Elevation of Privilege

Number: AV10-013
Date: 30 April 2010

Purpose

The purpose of this advisory is to bring attention to a possible vulnerability in Microsoft Windows SharePoint that could result in elevation of privilege.

Details

Microsoft is investigating reports of a possible vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007. The vulnerability could allow an attacker to run arbitrary script, which could result in elevation of privilege within the SharePoint site, as opposed to elevation of privilege within the workstation or server environment.

Affected Products: Microsoft Office SharePoint Server 2007 Service Pack 1 and Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions), Microsoft Office SharePoint Server 2007 Service Pack 1 and Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions), Microsoft Windows SharePoint Services 3.0 Service Pack 1 and Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit editions), Microsoft Windows SharePoint Services 3.0 Service Pack 1 and Microsoft Windows SharePoint Services 3.0 Service Pack 2 (64-bit editions).

CVE reference: CVE-2010-0817

Mitigating Factors:
• An attacker can cause arbitrary JavaScript to be run if the user clicks the specially crafted URL, but the attacker would not be able to steal the logged-on user's authentication credentials due to the way SharePoint Server handles the HttpOnly authentication cookie
• The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click on a URL that is sent in an e-mail message.
• Internet Explorer 8 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 prevents this attack in the Internet Zone. However, the Internet Explorer 8 XSS Filter, is not enabled by default in the Intranet Zone.

Suggested action

Microsoft recommendations:

Organizations can mitigate the impact by applying the following workarounds.

• Restrict Access to SharePoint Help.aspx
An administrator can apply an access control list to SharePoint Help.aspx to ensure that they can no longer be loaded. This effectively prevents exploitation of the vulnerability using this attack vector.

To restrict access to the vulnerable Help.aspx, run the following commands from a command prompt:

cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N

Impact of workaround: This workaround will disable all help functionality from the SharePoint server.

References:
http://www.microsoft.com/technet/security/advisory/983438.mspx

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca