7.5
CVSSv2

CVE-2019-0604

Published: 05/03/2019 Updated: 13/12/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 676
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft sharepoint foundation 2013

microsoft sharepoint server 2019

microsoft sharepoint enterprise server 2016

microsoft sharepoint server 2010

Github Repositories

详解 k8gege的SharePoint RCE exploit cve-2019-0604-exp.py的代码,动手制作自己的payload

一、解说k8gege的cve-2019-0604-exppy k8gege的脚本 githubcom/k8gege/CVE-2019-0604 老实说k8gege的py脚本有点花哨,一大堆的16进制字符串,分成 payload1,2,3, 好坏呀 python脚本远程post的payload,反序列化之后是一个xml数据体 <ResourceDictionary xmlns="schemasmicrosoftcom/winfx/2006/xaml/presentation"

cve-2019-0604 SharePoint RCE exploit

CVE-2019-0604 cve-2019-0604 SharePoint RCE exploit blog: wwwcnblogscom/k8gege/p/11093992html wiki: githubcom/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8-CVE-2019-0604-SharePoint-GetShell-Exploit

CVE-2019-0604 CVE-2019-0604 From wwwthezdicom/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability

Desharialize Desharialize: Easy mode to Exploit CVE-2019-0604 (Sharepoint XML Deserialization Unauthenticated RCE) What is it? While there have been public POCs for CVE-2019-0604, I have noticed that those POCs are not clear, extensible or flexible Some of them only have on hardcoded (and serialized/encoded) payloads, some of them require running custom NET code before every

Automated tool to exploit sharepoint CVE-2019-0604

Weaponized CVE-2019-0604 Automated Exploit Tool to Maximize CVE-2019-0604 Requirement The requirementstxt file should list all Python libraries this tool used, and they'll be installed using $ pip install -r requirementstxt Manual blind exploit (with(out) credential) $ python exploitpy -u <url-to-pickeraspx> -c whoami --ntlm -U <uname>:&am

dotnet deserialization 本系列是笔者从0到1对dotnet反序列化进行系统学习的笔记,其中涉及官方的反序列化formatter和第三方库的反序列化组件(如Jsonnet等),其中穿插一些ysoserialnet的使用及原理,以及一些dotnet的知识点。 笔者也是初入茅庐,如果文章表述或讲解有错,请不吝赐教。 所有文章均

EzpzSharepoint Disclaimer This is my note taking on Sharepoint Every information in here is a collection from all of the references Anything news related to Sharepoint will be updated in here Information Folder Information _app_bin The _app_bin folder was designed to hold application assemblies which were previously installed in _layouts/bin WebPart assemblies are

Deserialization payload generator for a variety of .NET formatters

A proof-of-concept tool for generating payloads that exploit unsafe NET object deserialization Description ysoserialnet is a collection of utilities and property-oriented programming "gadget chains" discovered in common NET libraries that can, under the right conditions, exploit NET applications performing unsafe deserialization of objects The main driver progra

ysoserialnet ysoserialnet for Windows execute file Usage ysoserialexe -h ysoserialnet generates deserialization payloads for a variety of NET formatters Available gadgets: ActivitySurrogateDisableTypeCheck (Disables 48+ type protections for ActivitySurrogateSelector, command is ignored) Formatters: BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFor

ysoserial.net for Windows execute file

ysoserialnet ysoserialnet for Windows execute file Usage ysoserialexe -h ysoserialnet generates deserialization payloads for a variety of NET formatters Available gadgets: ActivitySurrogateDisableTypeCheck (Disables 48+ type protections for ActivitySurrogateSelector, command is ignored) Formatters: BinaryFormatter, LosFormatter, NetDataContractSerializer, ObjectStateFor

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalation Useful Local Priv Esc Tools Lateral Movement Powershell Remoting Remote Code Execution with PS Credentials Import a powershell module and execute its functions remotely Executing Remote St

CS2020 repository MSEL concepts: DMZ # initial access firewall cve (out of scope?) python3 pfsense_auth_226_execpy localhost:65535 nc <IP> # initial access firewall (lockout feature!) web-proxy, ftp, dns, and web-conf proxychains hydra -L ~/userstxt -P ~/passwordstxt <IP> ssh -u -V; # shell to dmz boxes via ssh ssh <USER>@&

Generic assessment template

Pentest Template 1) Setup attacking machine: # NOTE: icmp and udp can't be proxied via proxychains! # setting up, socks, port forwarding for payload delivery ssh -f -N -D <LOCALIP>:<LOCALPORT> root@<REMOTEIP> # from local box socat TCP-LISTEN:<LOCALPORT>,bind=<LOCALIP>,fork,reuseaddr TCP:<RE

K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)

K8tools 2020628 声明: 工具仅供安全研究或授权渗透,非法用途后果自负。 下载: githubcom/k8gege/K8tools 文档: k8gegeorg PS: 不定期更新,文件比较大,可按需下载。工具有BUG或建议可直接Github上留言 提权工具均可在远控Cmd或WebShell运行,大部份经过修改编译兼容性稳定性更好 注意

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Задание 1 Управление уязвимостями Думаю, что нет смысла говорить, что такое уязвимость, поэтому сразу к делу Управление уязвимостями - это циклический процесс, направленный на обнаружение и классификацию у

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

Awesome hacking is an awesome collection of hacking tools.

Awesome Hacking Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command This is not only a curated list, it is also a complete and updated toolset you can download with one-command! You can

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

2019年天融信阿尔法实验室在微信公众号发布的所有安全资讯汇总

欢迎关注天融信阿尔法实验室微信公众号 20191231 [技术] 使用IDA从零开始学逆向, Part27 mediumcom/p/5fa5c173547c 36C3 CTF Writeups bananamafiadev/post/36c3ctf/ 再探同形文字攻击 alephsecuritycom/2019/12/29/revised-homograph-attacks/ 对1个Dell SonicWALL虚拟办公室的登录界面进行Password Spraying攻击

Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out current Contents CVE-2011-2856 CVE-2011-3243 CVE-2013-2618 CVE-2013-6632 CVE-2014-1701 CVE-2014-1705 CVE-2014-1747 CVE-2014-3176 CVE-2014-6332 CVE-2014-7927 CVE-2014-7928 CVE-2015-0072 CVE-2015-0235 CVE-2015-0240 CVE-2015-1233 CVE-2015-1242 CVE-2015-1268 CV

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC in GitHub 2020 CVE-2020-0014 (2020-02-13) It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr

Recent Articles

Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks
Threatpost • Lisa Vaas • 28 Apr 2021

A phishing campaign, discovered by researchers at Cofense, is draping itself in a Microsoft Office SharePoint theme and successfully bypassing security email gateways (SEGs). In a post on Tuesday, the firm said that this is an example of why it’s not always prudent to share documents via Microsoft’s hugely popular, widely used SharePoint collaboration platform. 
The phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email ...

Microsoft Patch Tuesday – February 2019
Symantec Threat Intelligence Blog • Ratheesh PM • 13 Feb 2021

This month the vendor has patched 74 vulnerabilities, 20 of which are rated Critical.

Posted: 13 Feb, 201922 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinMicrosoft Patch Tuesday – February 2019This month the vendor has patched 74 vulnerabilities, 20 of which are rated Critical.As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all software with the least privileges required while still maintaini...

UK urges orgs to patch severe CVE-2020-16952 SharePoint RCE bug
BleepingComputer • Sergiu Gatlan • 16 Oct 2020

The U.K. National Cyber Security Centre (NCSC) today issued an alert highlighting the risks behind the recently addressed CVE2020-16952 remote code execution (RCE) vulnerability in Microsoft SharePoint Server.
NCSC, the cybersecurity arm of the UK's GCHQ intelligence service, urges organizations to make sure that all Microsoft SharePoint products in their environments are patched against CVE-2020-16952 to block takeover attempts.
"The NCSC strongly advises that organisations refer ...

Microsoft Zerologon Flaw Under Attack By Iranian Nation-State Actors
Threatpost • Lindsey O'Donnell • 06 Oct 2020

Microsoft is warning that an Iranian nation-state actor is now actively exploiting the Zerologon vulnerability (CVE-2020-1472), adding fuel to the fire as the severe flaw continues to plague businesses.
The advanced persistent threat (APT) actor, which Microsoft calls MERCURY (also known as MuddyWater, Static Kitten and Seedworm) has historically targeted government victims in the Middle East to exfiltrate data. Exploiting the bug allows an unauthenticated attacker, with network access ...

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
Threatpost • Tara Seals • 08 Sep 2020

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.
The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbit...

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch
The Register • Shaun Nichols in San Francisco • 14 May 2020

Update, update, update. Plus: Flash, Struts, Drupal also make appearances Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...

FBI Warns of DDoS Attack on State Voter Registration Site
BleepingComputer • Sergiu Gatlan • 04 Feb 2020

The US Federal Bureau of Investigation (FBI) warned of a potential Distributed Denial of Service (DDoS) attack that targeted a state-level voter registration and information site in a Private Industry Notification (PIN) released today.
"The FBI received reporting indicating a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack," according to the FBI PIN seen by B...

U.N. Hack Stemmed From Microsoft SharePoint Flaw
Threatpost • Lindsey O'Donnell • 30 Jan 2020

Hackers breached the United Nations network in July by exploiting a Microsoft SharePoint vulnerability, according to reports. The breach, which appears to be an espionage operation, reportedly gave the hackers access to an estimated 400 GB of sensitive data.
The breach was swept under the rug by the U.N. until this week, when an internal document outlining the hack was leaked by The New Humanitarian, a global news agency focusing on human rights stories. According to the confidential docum...

UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it
The Register • Kieren McCarthy in San Francisco • 29 Jan 2020

For an organization accused of being 'all talk, no action', there's not even enough talking – to its own employees

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.
That is the extraordinary claim of The New Humanitarian, which until a few years ago was an official UN publication covering humanitarian crises. Today, it said the UN has confirmed both the hack and the decision not to divulge any details.<...

UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it
The Register • Kieren McCarthy in San Francisco • 29 Jan 2020

For an organization accused of being 'all talk, no action', there's not even enough talking – to its own employees Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.
That is the extraordinary claim of The New Humanitarian, which until a few years ago was an official UN publication covering humanitarian crises. Today, it said the UN has confirmed both the hack and the decision not to divulge any details.<...

FBI Releases Alert on Iranian Hackers' Defacement Techniques
BleepingComputer • Sergiu Gatlan • 27 Jan 2020

The FBI Cyber Division issued a flash security alert earlier this month with additional indicators of compromise from recent defacement attacks operated by Iranian threat actors and info on attackers' TTPs to help administrators and users to protect their websites.
The Cybersecurity and Information Security Agency (CISA) also
on the same day to provide cybersecurity best practices on safeguarding websites from cyberattacks that could lead to defacement or data breaches.
FBI's...

APT trends report Q2 2019
Securelist • GReAT • 01 Aug 2019

For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activiti...

FIN7 Linked to Escalating Active Exploits for Microsoft SharePoint Bug
Threatpost • Tara Seals • 10 May 2019

A recently patched, high-severity vulnerability in Microsoft SharePoint (CVE-2019-0604) that allows remote code-execution is being increasingly exploited in the wild, according to researchers – possibly by the FIN7 group, among others.
According to the Microsoft’s advisory, the vulnerability (which carries a 7.8 CVSS v.3.0 score) exists because the software fails to check the source markup of an application package – Microsoft issued a patch in March.
The Canadian Cyber Securit...

It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on
The Register • Shaun Nichols in San Francisco • 13 Feb 2019

Hefty load from Microsoft, Adobe, with special guest star Cisco

Patch Tuesday Microsoft and Adobe have teamed up to give users and sysadmins plenty of work to do this week.
The February edition of Patch Tuesday includes more than 70 CVE-listed vulnerabilities from each vendor – yes, each – as well as a critical security fix from Cisco. You should patch them as soon as it is possible.
For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE.
Among the most potentially serious was CVE-2019-0626, a remot...

It's now 2019, and your Windows DHCP server can be pwned by a packet, IE and Edge by a webpage, and so on
The Register • Shaun Nichols in San Francisco • 13 Feb 2019

Hefty load from Microsoft, Adobe, with special guest star Cisco Everyone screams patch ASAP – but it takes most organizations a month to update their networks

Patch Tuesday Microsoft and Adobe have teamed up to give users and sysadmins plenty of work to do this week.
The February edition of Patch Tuesday includes more than 70 CVE-listed vulnerabilities from each vendor – yes, each – as well as a critical security fix from Cisco. You should patch them as soon as it is possible.
For Redmond, the February dump covers 77 CVE-listed bugs across Windows, Office, and Edge/IE.
Among the most potentially serious was CVE-2019-0626, a remot...

The Register

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...