Today we released MS10-104 to address vulnerability CVE-2010-3964 in SharePoint 2007 server with an important severity rating. In this blog, we would like to cover some additional details of this vulnerability.
Is my SharePoint server affected by this vulnerability?
There are two types of installations for a SharePoint server: standalone and farm. A standalone installation is used for test/evaluation purposes and cannot be used when creating a SharePoint farm. With a farm installation there are two sub-types: complete and web front end. Servers of both types can be used to form a SharePoint farm. This is how SharePoint server is intended to be used for production deployment.
The following screen capture shows the server types you can select during SharePoint installation
By default, the vulnerable service, “Office Document Conversions Launcher Service”, is disabled in SharePoint farm installations. It is, however, enabled for SharePoint standalone installations. Most likely a SharePoint server in production will be deployed in the farm mode, and thus not vulnerable by default.
You can check whether the “Office Document Conversions Launcher Service” is running on your SharePoint server with the command “sc query dclauncher”. If the service is running, then the SharePoint server is vulnerable.
What is the restricted guest account mitigation?
While the “Office Document Conversions Launcher Service” runs under the localsystem account, the actual document conversion process is launched under a special HYU_<ServerName> account. This is a guest account created by SharePoint server and is used only for document conversion. Thus, even if the attacker manages to get the malicious code runs, the code will run under this guest account.
Would disabling the “Office Document Conversions Load Balancer Service” or blocking TCP port 8093 be good workarounds?
In the bulletin, we list workarounds that involve disabling the “Office Document Conversions Launcher Service” or blocking TCP port 8082. In normal scenarios, the user needs to first retrieve a launcherUri through a different service called the “Office Document Conversions Load Balancer Service” before connecting to the “Office Document Conversions Launcher Service”. On first look it apears that disabling or blocking access to the load balancer service would also be an effective workaround. However, you should note the launcherUri has a predictable format and could be guessed by an attacker. They could simply connect to the “Office Document Conversions Launcher Service” directly and reach the vulnerability. Therefore, just disabling “Office Document Conversions Load Balancer Service” or blocking the TCP port 8093, which it runs on, would not stop the vulnerability from being triggered.
How can I know if my server was attacked?
The SharePoint ULS (Unified Logging Service) logs are saved under \Program Files\Common Files\Microsoft Shared\web server extensions\12\LOGS. You can review all entries with “Microsoft.Office.Server.Convers (0x12CC) 0x1750 Document Conversions Launcher Service” to check for abnormal document conversion requests.
Acknowledgement
Thanks to Robert Orleth on the SharePoint team and Mark Debenham for their work on this case.
-Chengyun Chu, MSRC Engineering