A new XXE (XML eXternal Entity) Injection has been discovered to affect SharePoint on both on-prem and cloud instances.

This vulnerability has been assigned to CVE-2024-30043, and the severity has been given as 6.3 (Medium).

However, successfully exploiting this vulnerability allows a threat actor to read files with SharePoint Farm Service Account permission, perform SSRF attacks, perform NTLM relaying, and perform any other additional attacks that XXE, including remote code execution can lead.

Entity (XXE) Injection Vulnerability

According to the advisory shared with Cyber Security News, this vulnerability can be exploited by a low-privileged user. It exists due to flaws in XML fetching and XML parsing on the BaseXmlDataSource DataSource, which is the base class inheriting from DataSource.

The Execute method on the BaseXmlDataSource class accepts a string called “request” that the user can fully control. This request requires a URL or a path pointing to an XML file, which is referred to as “DataFile” by the researchers.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The XML is fetching in this.FetchData accepts the URL parameter sent by the user as an input argument.

This FetchData is implemented into three classes as SoapDataSource (performs HTTP SOAP request), XmlUrlDatasource (performs a customizable HTTP request) and SPXmlDataSource (retrieves an existing specified file on the SharePoint site).

However, the XML parsing is done via the xmlReaderSettings.DtdProcessing, which is set to DtdProcessing.Prohibit to disable processing of DTDs (document type definitions).

Further the xmlTextReader.XmlResolver is set to a freshly created XmlSecureResolver. 

When creating the XmlSecureResolver, the request string is passed through the securityUrl parameter. The content of the request is read using a while-do loop.

Though this setup seemed secure, it was later discovered that there was no HTTP request performed and a DTD processing exception was thrown.

As a surprising fact, the payload was executed by making a HTTP request which was first initially read by the XmlReader while the XmlReaderSettings.DtdProcessing is set to Prohibit as well as An XmlTextReader.XmlResolver is set.

Reason For Payload Execution

The resolver will always try to handle the parameter entities first and only then the DTD prohibition check is performed due to which the exception was thrown at the end.

However, it still allows to exploit the Out-of-Band XXE and potentially exfiltrate data with maliciously crafted payload.

Execution of payload (Source: ZDI)

Microsoft has patched this vulnerability of the Patch Tuesday updates of May 2024.

According to the patch released by Microsoft, more URL parsing control for SpXmlDataSource has been implemented, and the XmlTextReader object also prohibits DTD usage.

It is recommended that SharePoint users update their on-prem and cloud instances to the latest versions to prevent threat actors from exploiting this vulnerability.

Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo