Check Point Advisories

Microsoft SharePoint Malformed Request Remote Code Execution (MS10-104; CVE-2010-3964)

Check Point Reference: CPAI-2010-339
Date Published: 14 Dec 2010
Severity: High
Last Updated: Tuesday 03 November, 2015
Source:
Industry Reference:CVE-2010-3964
Protection Provided by:

Security Gateway
R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description Document Conversions Launcher Service schedules and initiates the document conversions on a server. When Microsoft Office SharePoint Server 2007 passes the service a document conversion request, the Document Conversions Launcher Service calls the appropriate document converter. A remote code execution vulnerability exists in the way that the Document Conversions Launcher Service validates SOAP requests before processing on a SharePoint server. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system. This vulnerability is due to an error in the Document Conversions Launcher service that fails to properly validate SOAP requests from the Document Conversions Load Balancer Service. A remote attacker can exploit this vulnerability by sending a specially crafted SOAP request to the Document Conversions Launcher Service in a SharePoint server environment that is using the Document Conversions Load Balancer Service. Successful exploitation of this vulnerability could allow the attacker to run arbitrary code on an affected SharePoint server.

Protection Overview

This protection will detect and block malformed Sharepoint SOAP requests made to the vulnerable server on port 8082.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

  1. In the IPS tab, click Protections and find the Microsoft SharePoint Malformed Request Remote Code Execution (MS10-104) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  SharePoint Enforcement Violation.
Attack Information:  Microsoft SharePoint malformed request remote code execution (MS10-104)

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK