id: CVE-2020-16952

info:
  name: Microsoft SharePoint Server-Side Include (SSI) and ViewState RCE
  author: dwisiswant0
  severity: high
  description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-16951.
  reference:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16952
    - https://srcincite.io/pocs/cve-2020-16952.py.txt
    - https://github.com/rapid7/metasploit-framework/blob/1a341ae93191ac5f6d8a9603aebb6b3a1f65f107/documentation/modules/exploit/windows/http/sharepoint_ssi_viewstate.md
  tags: cve,cve2020,sharepoint,iis,microsoft
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 7.80
    cve-id: CVE-2020-16952
    cwe-id: CWE-346

requests:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "15\\.0\\.0\\.(4571|5275|4351|5056)"
          - "16\\.0\\.0\\.(10337|10364|10366)"
          # - "16.0.10364.20001"
        condition: or
        part: body
      - type: word
        words:
          - "MicrosoftSharePointTeamServices"
        part: header
      - type: status
        status:
          - 200
          - 201
        condition: or