来源

关联漏洞

介绍

# SharePoint "ToolShell" RCE Exploit (CVE-2025-53770)

## Overview

**CVE-2025-53770** is a critical remote code execution (RCE) vulnerability affecting Microsoft SharePoint Server 2016, 2019, and Subscription Edition (on-premises only, not SharePoint Online). Attackers can bypass authentication and achieve full server control by exploiting a logic flaw and unsafe deserialization. This exploit chain—publicly known as "ToolShell"—has been observed in active attacks.

## Technical Details

### Affected Versions

- SharePoint Enterprise Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
- *Not* applicable to SharePoint Online (Microsoft 365)

### Severity

- **CVSS Score**: 9.8 (Critical)

## Exploit Chain: Step-by-Step

### 1. Authentication Bypass

- The attacker sends a specially crafted HTTP POST request to the hidden management page:  
  `/_layouts/15/ToolPane.aspx?DisplayMode=Edit`
- The request contains a **forged Referer header**:  
  ```
  Referer: /_layouts/SignOut.aspx
  ```
- Due to a logic flaw, SharePoint treats this request as coming from a legitimate, authenticated session, granting access.

### 2. Remote Code Execution via Deserialization

- Using access to the privileged endpoint, the attacker submits a payload exploiting an unsafe deserialization bug, allowing arbitrary code execution.
- Typically, the attacker uploads a malicious ASPX web shell (e.g., `spinstall0.aspx`) to the SharePoint system directory.

### 3. Web Shell Deployment and Key Theft

- The web shell is executed, letting the attacker read sensitive SharePoint configuration files.
- The attacker extracts the server's **machine keys**:  
  - `ValidationKey`
  - `DecryptionKey`
- These cryptographic keys protect user authentication tokens and session state (ViewState).

### 4. Full Server Takeover and Persistence

- With the keys, the attacker can create their own valid, signed payloads that SharePoint will trust and execute.
- This enables persistent RCE and allows bypass of most security controls, even after initial patching—unless the stolen keys are rotated.

## Impact

- **Total compromise** of on-premises SharePoint server:  
  - Arbitrary command execution  
  - File access/modification  
  - Data exfiltration  
  - Lateral movement throughout the internal network  
- **Persistence:** Attackers maintain access using stolen machine keys until those keys are manually changed.

## Example Attack Flow (Diagram)

```mermaid
sequenceDiagram
    participant Attacker
    participant SharePoint Server

    Attacker->>SharePoint Server: POST /ToolPane.aspx (with fake Referer)
    SharePoint Server-->>Attacker: Grants admin access (auth bypass)
    Attacker->>SharePoint Server: Uploads malicious web shell
    Attacker->>SharePoint Server: Executes web shell to read config
    SharePoint Server-->>Attacker: Returns ValidationKey and DecryptionKey
    Attacker->>SharePoint Server: Sends forged, signed payloads (persistent RCE)
```

## Remediation

- **Apply Microsoft patches:**  
  [Official Advisory & Updates (Microsoft MSRC)](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)
- **Immediate machine key rotation** after compromise
- **Audit server for unauthorized ASPX files** and unusual activity

## References

- [CISA KEV Catalog - CVE-2025-53770](https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-adds-four-known-exploited-vulnerabilities-catalog)
- [Microsoft MSRC Advisory](https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/)
- [Technical Write-up: "ToolShell" exploit](#) 

*This document is for research and defensive purposes only. Do not attempt exploitation on systems you do not own or have explicit authorization to test.*

文件快照

 [4.0K]  /data/pocs/5196f19e848122b79edb710a2492a403813705d5
└── [3.7K]  README.md

0 directories, 1 file

备注