Microsoft SharePoint Office Document Load Balancer SOAP Vulnerability

2011-11-23T00:00:00
ID SAINT:6BAF3084A5E41EAE030364DF9CE9D5DE
Type saint
Reporter SAINT Corporation
Modified 2011-11-23T00:00:00

Description

Added: 11/23/2011
CVE: CVE-2010-3964
BID: 45264
OSVDB: 69817

Background

Microsoft SharePoint is a web application platform that provides web content management and document management as an aid to collaboration among users. SharePoint's multi-purpose design allows for managing and provisioning of intranet portals, extranets, websites, document and file management, collaboration spaces, social tools, enterprise search, business intelligence, process integration, system integration, workflow automation, and core infrastructure for third-party solutions.

Problem

The Document Conversions Launcher Service in Microsoft Office SharePoint Server 2007 SP2 contains an arbitrary file upload vulnerability due to improper validation when processing SOAP requests. A remote attacker could execute arbitrary code in the security context of a guest user by sending a specially crafted SOAP request to the Document Conversions Launcher Service on TCP port 8082 in a SharePoint server environment that is using the Document Conversions Load Balancer Service. By default, the Document Conversions Load Balancer Service and Document Conversions Launcher Service are not enabled in Microsoft Office SharePoint Server 2007.

Resolution

Apply the patch found in Microsoft Security Bulletin 10-104.

References

<http://technet.microsoft.com/en-us/security/bulletin/MS10-104>
<http://www.cvedetails.com/cve/CVE-2010-3964/>

Limitations

Exploit works on Microsoft Office SharePoint Server 2007 SP2.

Both the Document Conversions Launcher Service and Document Conversions Load Balancer Service must be enabled for Sharepoint on the target system.

To open the shell connection, the target machine must reboot after the exploit script runs.

Platforms

Windows