The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is
intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.

OCS ADVISORY NUMBER:
2013-030

DATE(S) ISSUED:
03/13/2013

SUBJECT:
Vulnerabilities in SharePoint Could Allow Elevation of Privilege (MS13-024)

OVERVIEW:

Multiple vulnerabilities have been reported in Microsoft SharePoint Server and Microsoft SharePoint Foundation that could allow for elevation of privilege or denial of service attack. Depending on the privileges associated with the user, the attacker could install programs; view, change or delete data or create new accounts with full user rights.

SYSTEMS AFFECTED:

  • Microsoft SharePoint Server 2010
  • Microsoft SharePoint Foundation 2010

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

DESCRIPTION:
There are a total of four vulnerabilities this advisory covers.

There is a Callback Function Vulnerability (CVE-2013-0080) that could allow an attacker to elevate their access to the server. This would provide the attacker the ability to change permissions, delete content and inject specially crafted content in the browser of the victim. This vulnerability uses a web-based attack scenario where the attacker hosts a specially crafted webpage. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.

There is a Cross Site Scripting vulnerability (CVE-2013-0083) that could potentially allow an attacker to issue SharePoint commands in the context of an administrative user on the site. This happens when the SharePoint Server does not properly handle malicious JavaScript element contained within specially crafted site content. Once exploited, the attacker could use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions, delete content and inject malicious content into a web browser.

There is a SharePoint Directory Traversal Vulnerability (CVE-2013-0084) that could allow an attacker, after obtaining sensitive system data, to elevate their access to the server. The vulnerability is caused when Microsoft SharePoint Server does not properly validate a user’s input. Once exploited, the attacker could use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions, delete content and inject malicious content into a web browser.

There is a Buffer Overflow Vulnerability (CVE-2013-0085) that could allow an attacker to cause the W3WP process on an affected version of SharePoint to terminate. This would cause the SharePoint site, along with any user sites running that process, to become unavailable until the process is restarted.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to download or open files from un-trusted websites.

REFERENCES:

Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/MS13-024

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0080
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0083
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0084
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0085

Secunia:
http://secunia.com/advisories/52551/