id: CVE-2020-1147

info:
  name: RCE at SharePoint Server (.NET Framework & Visual Studio) detection
  author: dwisiswant0
  description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input, aka '.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability'.
  severity: critical
  tags: cve,cve2020,sharepoint,iis,rce
  reference: |
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
    - https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html

requests:
  - method: GET
    path:
      - "{{BaseURL}}/_layouts/15/listform.aspx?PageType=1&ListId=%7B13371337-1337-1337-1337-133713371337%7D"
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "List does not exist"
          - "It may have been deleted by another user"
        part: body
        condition: and
      - type: word
        words:
          - "Microsoft-IIS"
          - "X-SharePointHealthScore"
          - "SharePointError"
          - "SPRequestGuid"
          - "MicrosoftSharePointTeamServices"
        condition: or
        part: header
      - type: status
        status:
          - 200