{"id":10297,"date":"2025-08-09T15:58:10","date_gmt":"2025-08-09T08:58:10","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10297"},"modified":"2026-02-03T16:04:37","modified_gmt":"2026-02-03T09:04:37","slug":"toolshell-chuoi-khai-thac-sharepoint-nguy-hiem-phoi-bay-khoang-trong-trong-va-loi-bao-mat","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/08\/09\/toolshell-chuoi-khai-thac-sharepoint-nguy-hiem-phoi-bay-khoang-trong-trong-va-loi-bao-mat\/","title":{"rendered":"ToolShell \u2013 Chu\u1ed7i khai th\u00e1c SharePoint nguy hi\u1ec3m ph\u01a1i b\u00e0y kho\u1ea3ng tr\u1ed1ng trong v\u00e1 l\u1ed7i b\u1ea3o m\u1eadt"},"content":{"rendered":"<p data-start=\"361\" data-end=\"653\">Gi\u1eefa th\u00e1ng 7\/2025, c\u1ed9ng \u0111\u1ed3ng an ninh m\u1ea1ng qu\u1ed1c t\u1ebf li\u00ean ti\u1ebfp ghi nh\u1eadn c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nguy hi\u1ec3m nh\u1eb1m v\u00e0o <strong data-start=\"467\" data-end=\"502\">Microsoft SharePoint on-premise<\/strong>. \u0110i\u1ec1u \u0111\u00e1ng lo ng\u1ea1i kh\u00f4ng ch\u1ec9 n\u1eb1m \u1edf m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng c\u1ee7a c\u00e1c l\u1ed7 h\u1ed5ng, m\u00e0 c\u00f2n \u1edf th\u1ef1c t\u1ebf r\u1eb1ng <strong data-start=\"597\" data-end=\"652\">nh\u1eefng h\u1ec7 th\u1ed1ng \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 v\u1eabn ti\u1ebfp t\u1ee5c b\u1ecb khai th\u00e1c<\/strong>.<\/p>\n<p data-start=\"655\" data-end=\"877\">Chu\u1ed7i t\u1ea5n c\u00f4ng n\u00e0y \u0111\u01b0\u1ee3c c\u00e1c chuy\u00ean gia \u0111\u1eb7t t\u00ean l\u00e0 <strong data-start=\"705\" data-end=\"718\">ToolShell<\/strong> \u2013 m\u1ed9t v\u00ed d\u1ee5 \u0111i\u1ec3n h\u00ecnh cho th\u1ea5y ch\u1ec9 c\u1ea7n m\u1ed9t sai s\u00f3t nh\u1ecf trong qu\u00e1 tr\u00ecnh v\u00e1 l\u1ed7i c\u0169ng c\u00f3 th\u1ec3 m\u1edf ra c\u00e1nh c\u1eeda cho tin t\u1eb7c chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n ho\u00e0n to\u00e0n m\u00e1y ch\u1ee7.<\/p>\n<p data-start=\"879\" data-end=\"1059\">Theo ph\u00e2n t\u00edch c\u1ee7a h\u00e3ng b\u1ea3o m\u1eadt <strong data-start=\"911\" data-end=\"924\">Kaspersky<\/strong>, ToolShell l\u00e0 s\u1ef1 k\u1ebft h\u1ee3p tinh vi c\u1ee7a nhi\u1ec1u l\u1ed7 h\u1ed5ng trong SharePoint, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi m\u00e3 t\u1eeb xa <strong data-start=\"1033\" data-end=\"1058\">m\u00e0 kh\u00f4ng c\u1ea7n x\u00e1c th\u1ef1c<\/strong>.<\/p>\n<div id=\"relatedPost\" class=\"mt-3 mb-3\">\n<div class=\"\">\n<ul class=\"ms-2\">\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"Microsoft li\u00ean k\u1ebft c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng Sharepoint ToolShell v\u1edbi tin t\u1eb7c Trung Qu\u1ed1c\">Microsoft li\u00ean k\u1ebft c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng Sharepoint ToolShell v\u1edbi tin t\u1eb7c Trung Qu\u1ed1c<\/li>\n<\/ul>\n<\/li>\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"\u0110\u1eb1ng sau l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng \u0111ang b\u1ecb khai th\u00e1c t\u00edch c\u1ef1c tr\u00ean Microsoft Sharepoint\">\u0110\u1eb1ng sau l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng \u0111ang b\u1ecb khai th\u00e1c t\u00edch c\u1ef1c tr\u00ean Microsoft Sharepoint<\/li>\n<\/ul>\n<\/li>\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"Microsoft c\u1ea3nh b\u00e1o t\u1ea5n c\u00f4ng m\u1ea1ng v\u00e0o ph\u1ea7n m\u1ec1m SharePoint\">Microsoft c\u1ea3nh b\u00e1o t\u1ea5n c\u00f4ng m\u1ea1ng v\u00e0o ph\u1ea7n m\u1ec1m SharePoint<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<article id=\"content\" class=\"content gradient\"><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/2112c52e-3e7d-4f6a-a347-316a35241845\/1(4348).png\" \/><\/p>\n<p>CVE-2025-49704 v\u00e0 CVE-2025-49706 l\u00e0 hai l\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c nh\u00e0 nghi\u00ean c\u1ee9u\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/dang-sau-lo-hong-nghiem-trong-dang-bi-khai-thac-tich-cuc-tren-microsoft-sharepoint\">\u0110inh H\u1ed3 Anh Khoa<\/a>\u00a0\u0111\u1ebfn t\u1eeb C\u00f4ng ty An ninh m\u1ea1ng Viettel (VCS) ph\u00e1t hi\u1ec7n t\u1ea1i cu\u1ed9c thi\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/nhieu-dau-an-noi-bat-tai-pwn2own-berlin-2025\">Pwn2Own Berlin 2025<\/a>, ch\u00fang \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 trong b\u1ea3n c\u1eadp nh\u1eadt Patch Tuesday th\u00e1ng 7\/2025. \u0110\u1ebfn nay, Microsoft \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n c\u1eadp nh\u1eadt b\u1ea3o m\u1eadt b\u1ed5 sung nh\u1eb1m b\u1ea3o v\u1ec7 to\u00e0n di\u1ec7n cho t\u1ea5t c\u1ea3 c\u00e1c phi\u00ean b\u1ea3n SharePoint b\u1ecb \u1ea3nh h\u01b0\u1edfng b\u1edfi CVE-2025-53770 v\u00e0 CVE-2025-53771.<\/p>\n<p>S\u1ed1 li\u1ec7u th\u1ed1ng k\u00ea c\u1ee7a Kaspersky cho th\u1ea5y ho\u1ea1t \u0111\u1ed9ng khai th\u00e1c tr\u00ean di\u1ec7n r\u1ed9ng b\u1eaft \u0111\u1ea7u t\u1eeb ng\u00e0y 18\/7\/2025, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o c\u00e1c m\u00e1y ch\u1ee7 tr\u00ean kh\u1eafp th\u1ebf gi\u1edbi t\u1ea1i Ai C\u1eadp, Jordan, Nga, Vi\u1ec7t Nam v\u00e0 Zambia.<\/p>\n<p>Trong qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch, Kaspersky \u0111\u00e3 t\u00ecm th\u1ea5y m\u1ed9t b\u1ea3n sao l\u01b0u c\u1ee7a c\u00e1c y\u00eau c\u1ea7u POST \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh l\u00e0 ch\u1ee9a payload \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng, vi\u1ec7c g\u1eedi m\u1ed9t y\u00eau c\u1ea7u duy nh\u1ea5t n\u00e0y \u0111\u1ebfn m\u00e1y ch\u1ee7 c\u00e0i \u0111\u1eb7t SharePoint b\u1ecb \u1ea3nh h\u01b0\u1edfng l\u00e0 \u0111\u1ee7 \u0111\u1ec3 th\u1ef1c thi payload \u0111\u1ed9c h\u1ea1i t\u1ea1i \u0111\u00f3.<\/p>\n<p>Ph\u00e2n t\u00edch c\u1ee7a Kaspersky v\u1ec1 l\u1ed7 h\u1ed5ng n\u00e0y cho th\u1ea5y n\u00f3 d\u1ef1a v\u00e0o c\u00e1c l\u1ed7 h\u1ed5ng \u0111\u00e3 \u0111\u01b0\u1ee3c kh\u1eafc ph\u1ee5c trong CVE-2025-49704 v\u00e0 CVE-2025-49706 trong b\u1ea3n v\u00e1 Patch Tuesday th\u00e1ng 7\/2025, nh\u01b0ng ch\u1ec9 b\u1eb1ng c\u00e1ch thay \u0111\u1ed5i m\u1ed9t byte trong y\u00eau c\u1ea7u, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 c\u00f3 th\u1ec3 bypass qua b\u1ea3n v\u00e1 n\u00e0y.<\/p>\n<p><strong>Khai th\u00e1c l\u1ed7 h\u1ed5ng<\/strong><\/p>\n<p>Nghi\u00ean c\u1ee9u c\u1ee7a Kaspersky b\u1eaft \u0111\u1ea7u b\u1eb1ng vi\u1ec7c ph\u00e2n t\u00edch m\u1ed9t y\u00eau c\u1ea7u POST li\u00ean quan \u0111\u1ebfn l\u00e0n s\u00f3ng t\u1ea5n c\u00f4ng n\u00e0y v\u00e0o m\u00e1y ch\u1ee7\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/microsoft-lien-ket-cac-cuoc-tan-cong-sharepoint-toolshell-voi-tin-tac-trung-quoc\">SharePoint<\/a>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/29e3a943-4e06-4527-a64b-1a4ef1481622\/ToolShell-img1-1024x576.png\" \/><\/p>\n<p>Tr\u00ean H\u00ecnh 1, c\u00f3 th\u1ec3 th\u1ea5y y\u00eau c\u1ea7u POST n\u00e0y nh\u1eafm \u0111\u1ebfn \u0111i\u1ec3m cu\u1ed1i \u201c\/_layouts\/15\/ToolPane.aspx\u201d v\u00e0 nh\u00fang hai tham s\u1ed1: \u201cMSOtlPn_Uri\u201d v\u00e0 \u201cMSOtlPn_DWP\u201d. Khi ki\u1ec3m tra code c\u1ee7a ToolPane[.]aspx, b\u1ea3n th\u00e2n t\u1ec7p n\u00e0y kh\u00f4ng ch\u1ee9a nhi\u1ec1u ch\u1ee9c n\u0103ng v\u00e0 h\u1ea7u h\u1ebft code c\u1ee7a n\u00f3 n\u1eb1m trong l\u1edbp ToolPane c\u1ee7a namespace Microsoft[.]SharePoint[.]WebPartPages trong Microsoft[.]SharePoint[.]dll.<\/p>\n<p>Khi ph\u00e2n t\u00edch l\u1edbp n\u00e0y, code ho\u1ea1t \u0111\u1ed9ng v\u1edbi hai tham s\u1ed1 c\u00f3 trong l\u1ed7 h\u1ed5ng. Tuy nhi\u00ean, vi\u1ec7c truy c\u1eadp \u0111i\u1ec3m cu\u1ed1i n\u00e0y trong \u0111i\u1ec1u ki\u1ec7n b\u00ecnh th\u01b0\u1eddng l\u00e0 kh\u00f4ng th\u1ec3 n\u1ebfu kh\u00f4ng bypass x\u00e1c th\u1ef1c tr\u00ean m\u00e1y ch\u1ee7 SharePoint b\u1ecb t\u1ea5n c\u00f4ng. \u0110\u00e2y ch\u00ednh l\u00e0 l\u00fac l\u1ed7 h\u1ed5ng gi\u1ea3 m\u1ea1o Microsoft SharePoint Server \u0111\u1ea7u ti\u00ean CVE-2025-49706 ph\u00e1t huy t\u00e1c d\u1ee5ng.<\/p>\n<p><strong>CVE-2025-49706<\/strong><\/p>\n<p>L\u1ed7 h\u1ed5ng n\u00e0y n\u1eb1m trong ph\u01b0\u01a1ng th\u1ee9c PostAuthenticateRequestHandler c\u1ee7a Microsoft[.]SharePoint[.]dll. SharePoint y\u00eau c\u1ea7u Internet Information Services (IIS) ph\u1ea3i \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh \u1edf ch\u1ebf \u0111\u1ed9 t\u00edch h\u1ee3p. Trong ch\u1ebf \u0111\u1ed9 n\u00e0y, c\u00e1c giai \u0111o\u1ea1n x\u00e1c th\u1ef1c IIS v\u00e0 ASP.NET \u0111\u01b0\u1ee3c h\u1ee3p nh\u1ea5t. Do \u0111\u00f3, k\u1ebft qu\u1ea3 x\u00e1c th\u1ef1c IIS kh\u00f4ng \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh cho \u0111\u1ebfn giai \u0111o\u1ea1n PostAuthenticateRequest, t\u1ea1i th\u1eddi \u0111i\u1ec3m c\u1ea3 hai ph\u01b0\u01a1ng th\u1ee9c x\u00e1c th\u1ef1c ASP.NET v\u00e0 IIS \u0111\u1ec1u \u0111\u00e3 ho\u00e0n t\u1ea5t. Do \u0111\u00f3, ph\u01b0\u01a1ng th\u1ee9c PostAuthenticateRequestHandler s\u1eed d\u1ee5ng m\u1ed9t lo\u1ea1t c\u1edd \u0111\u1ec3 theo d\u00f5i c\u00e1c vi ph\u1ea1m x\u00e1c th\u1ef1c ti\u1ec1m \u1ea9n. M\u1ed9t l\u1ed7i logic trong ph\u01b0\u01a1ng th\u1ee9c n\u00e0y cho ph\u00e9p bypass x\u00e1c th\u1ef1c n\u1ebfu ti\u00eau \u0111\u1ec1 \u201cReferrer\u201d c\u1ee7a y\u00eau c\u1ea7u HTTP thi\u1ebft l\u1eadp b\u1eb1ng gi\u00e1 tr\u1ecb \u201c\/_layouts\/SignOut.aspx\u201d, \u201c\/_layouts\/14\/SignOut.aspx\u201d ho\u1eb7c \u201c\/_layouts\/15\/SignOut.aspx\u201d.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/3cbea65e-572b-4c02-9ebb-7eb0de18331e\/2222(7).png\" \/><\/p>\n<p>Trong H\u00ecnh 2, code x\u1eed l\u00fd y\u00eau c\u1ea7u \u0111\u0103ng xu\u1ea5t v\u00e0 c\u0169ng \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t khi trang \u0111\u0103ng xu\u1ea5t \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh l\u00e0 trang gi\u1edbi thi\u1ec7u. Khi flag6 \u0111\u01b0\u1ee3c \u0111\u1eb7t th\u00e0nh false v\u00e0 flag7 \u0111\u01b0\u1ee3c \u0111\u1eb7t th\u00e0nh true, c\u1ea3 hai nh\u00e1nh c\u00f3 \u0111i\u1ec1u ki\u1ec7n c\u00f3 kh\u1ea3 n\u0103ng g\u00e2y ra ngo\u1ea1i l\u1ec7 \u201cUnauthorized Access\u201d \u0111\u1ec1u b\u1ecb bypass.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/f7bf7700-6eb1-4557-92dc-5fbad589990c\/3(1455).png\" \/><\/p>\n<p>V\u00e0o ng\u00e0y 8\/7\/2025, Microsoft \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n c\u1eadp v\u00e1 gi\u1ea3i quy\u1ebft l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt n\u00e0y b\u1eb1ng c\u00e1ch gi\u1edbi thi\u1ec7u c\u00e1c bi\u1ec7n ph\u00e1p ki\u1ec3m tra b\u1ed5 sung \u0111\u1ec3 ph\u00e1t hi\u1ec7n vi\u1ec7c s\u1eed d\u1ee5ng \u0111i\u1ec3m cu\u1ed1i \u201cToolPane.aspx\u201d v\u1edbi trang \u0111\u0103ng xu\u1ea5t \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh l\u00e0 trang gi\u1edbi thi\u1ec7u.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/55f62606-b1a3-4b08-9c37-33001edb32d5\/ToolShell-img4(1).png\" \/><\/p>\n<p>Ki\u1ec3m tra b\u1ed5 sung s\u1eed d\u1ee5ng ph\u00e9p so s\u00e1nh kh\u00f4ng ph\u00e2n bi\u1ec7t ch\u1eef hoa, ch\u1eef th\u01b0\u1eddng \u0111\u1ec3 x\u00e1c minh xem \u0111\u01b0\u1eddng d\u1eabn \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u c\u00f3 k\u1ebft th\u00fac b\u1eb1ng \u201cToolPane[.]aspx\u201d hay kh\u00f4ng. Li\u1ec7u c\u00f3 th\u1ec3 bypass ki\u1ec3m tra n\u00e0y b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng m\u1ed9t \u0111i\u1ec3m cu\u1ed1i kh\u00e1c kh\u00f4ng? Th\u1eed nghi\u1ec7m c\u1ee7a Kaspersky \u0111\u00e3 ch\u1ec9 ra r\u1eb1ng ki\u1ec3m tra n\u00e0y c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng b\u1ecb bypass.<\/p>\n<p><strong>CVE-2025-53771<\/strong><\/p>\n<p>Kaspersky \u0111\u00e3 th\u00e0nh c\u00f4ng trong vi\u1ec7c bypass b\u1ea3n v\u00e1 cho l\u1ed7 h\u1ed5ng CVE-2025-49706 b\u1eb1ng c\u00e1ch ch\u1ec9 th\u00eam m\u1ed9t byte v\u00e0o y\u00eau c\u1ea7u POST trong qu\u00e1 tr\u00ecnh th\u1eed nghi\u1ec7m khai th\u00e1c. \u0110\u1ec3 bypass, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ch\u1ec9 c\u1ea7n th\u00eam d\u1ea5u \u201c\/\u201d v\u00e0o cu\u1ed1i \u0111\u01b0\u1eddng d\u1eabn \u201cToolPane[.]aspx\u201d \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/84a92cf3-0279-4d8a-b26e-4937d8d3685b\/ToolShell-img5-1024x169.png\" \/><\/p>\n<p>V\u00e0o ng\u00e0y 20\/7\/2025, Microsoft \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n c\u1eadp nh\u1eadt kh\u1eafc ph\u1ee5c l\u1ed7 h\u1ed5ng bypass n\u00e0y (CVE-2025-53771). B\u1ea3n v\u00e1 \u0111\u00e3 thay th\u1ebf l\u1ec7nh ki\u1ec3m tra \u201cToolPane[.]aspx\u201d \u0111\u1ec3 ki\u1ec3m tra xem \u0111\u01b0\u1eddng d\u1eabn \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u c\u00f3 n\u1eb1m trong danh s\u00e1ch c\u00e1c \u0111\u01b0\u1eddng d\u1eabn \u0111\u01b0\u1ee3c ph\u00e9p s\u1eed d\u1ee5ng v\u1edbi trang \u0111\u0103ng xu\u1ea5t l\u00e0m li\u00ean k\u1ebft gi\u1edbi thi\u1ec7u hay kh\u00f4ng.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/8f70fbe6-ba13-4f46-b0e3-33d87cdc99f3\/ToolShell-img6.png\" \/><\/p>\n<p>Danh s\u00e1ch cho ph\u00e9p n\u00e0y bao g\u1ed3m c\u00e1c \u0111\u01b0\u1eddng d\u1eabn sau: \u201c\/_layouts\/15\/SignOut.aspx\u201d, \u201c\/_layouts\/15\/1033\/initstrings.js\u201d, \u201c\/_layouts\/15\/init.js\u201d, \u201c\/_layouts\/15\/theming.js\u201d, \u201c\/ScriptResource.axd\u201d, \u201c\/_layouts\/15\/blank.js\u201d, \u201c\/ScriptResource.axd\u201d, \u201c\/WebResource.axd\u201d, \u201c\/_layouts\/15\/1033\/styles\/corev15.css\u201d, \u201c\/_layouts\/15\/1033\/styles\/error.css\u201d, \u201c\/_layouts\/15\/images\/favicon.ico\u201d, \u201c\/_layouts\/15\/1033\/strings.js\u201d, \u201c\/_layouts\/15\/core.js\u201d v\u00e0 c\u00f3 th\u1ec3 ch\u1ee9a c\u00e1c \u0111\u01b0\u1eddng d\u1eabn b\u1ed5 sung do qu\u1ea3n tr\u1ecb vi\u00ean th\u00eam v\u00e0o.<\/p>\n<p>Khi ki\u1ec3m tra vi\u1ec7c bypass CVE-2025-49706 v\u1edbi b\u1ea3n c\u1eadp nh\u1eadt ng\u00e0y 8\/7 \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t tr\u00ean n\u1ec1n t\u1ea3ng debug SharePoint c\u1ee7a Kaspersky, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u nh\u1eadn th\u1ea5y m\u1ed9t s\u1ed1 h\u00e0nh vi k\u1ef3 l\u1ea1. Kh\u00f4ng ch\u1ec9 vi\u1ec7c bypass CVE-2025-49706 th\u00e0nh c\u00f4ng, m\u00e0 to\u00e0n b\u1ed9 chu\u1ed7i khai th\u00e1c c\u0169ng v\u1eady. Tuy nhi\u00ean, c\u00f3 m\u1ed9t c\u00e2u h\u1ecfi \u0111\u1eb7t ra l\u00e0, ch\u1eb3ng ph\u1ea3i k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 th\u00eam m\u1ed9t l\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa Microsoft SharePoint kh\u00e1c l\u00e0 CVE-2025-49704, v\u1ed1n \u0111\u01b0\u1ee3c cho l\u00e0 \u0111\u00e3 \u0111\u01b0\u1ee3c kh\u1eafc ph\u1ee5c trong c\u00f9ng m\u1ed9t b\u1ea3n c\u1eadp nh\u1eadt sao? \u0110\u1ec3 hi\u1ec3u t\u1ea1i sao to\u00e0n b\u1ed9 chu\u1ed7i khai th\u00e1c l\u1ea1i th\u00e0nh c\u00f4ng trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y, h\u00e3y c\u00f9ng xem x\u00e9t l\u1ed7 h\u1ed5ng CVE-2025-49704 v\u00e0 c\u00e1ch n\u00f3 \u0111\u01b0\u1ee3c kh\u1eafc ph\u1ee5c.<\/p>\n<p><strong>CVE-2025-49704<\/strong><\/p>\n<p>CVE-2025-49704 l\u00e0 m\u1ed9t l\u1ed7 h\u1ed5ng gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a d\u1eef li\u1ec7u kh\u00f4ng \u0111\u00e1ng tin c\u1eady, t\u1ed3n t\u1ea1i do x\u00e1c th\u1ef1c n\u1ed9i dung XML kh\u00f4ng \u0111\u00fang c\u00e1ch. Khi xem x\u00e9t y\u00eau c\u1ea7u POST khai th\u00e1c, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u cho bi\u1ebft, y\u00eau c\u1ea7u n\u00e0y ch\u1ee9a hai tham s\u1ed1 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a URL: \u201cMSOtlPn_Uri\u201d v\u00e0 \u201cMSOtlPn_DWP\u201d. C\u00f3 th\u1ec3 ki\u1ec3m tra c\u00e1ch ch\u00fang \u0111\u01b0\u1ee3c x\u1eed l\u00fd b\u1eb1ng c\u00e1ch ki\u1ec3m tra code c\u1ee7a ph\u01b0\u01a1ng th\u1ee9c GetPartPreviewAndPropertiesFromMarkup trong Microsoft.SharePoint.dll.<\/p>\n<p>M\u1ed9t ph\u00e2n t\u00edch nhanh cho th\u1ea5y \u201cMSOtlPn_Uri\u201d l\u00e0 m\u1ed9t trang URL c\u00f3 th\u1ec3 tr\u1ecf \u0111\u1ebfn b\u1ea5t k\u1ef3 t\u1ec7p n\u00e0o trong th\u01b0 m\u1ee5c CONTROLTEMPLATES, trong khi \u0111\u00f3 tham s\u1ed1 \u201cMSOtlPn_DWP\u201d ch\u1ee9a WebPart markup v\u1edbi \u0111\u1ecbnh d\u1ea1ng r\u1ea5t gi\u1ed1ng v\u1edbi XML.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/57213d88-9405-4ad5-b8e7-c38f0741019a\/ToolShell-img7.png\" \/><\/p>\n<p>M\u1eb7c d\u00f9 \u201cXML\u201d n\u00e0y c\u00f3 trong tham s\u1ed1 \u201cMSOtlPn_DWP\u201d kh\u00f4ng ch\u1ee9a l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt, nh\u01b0ng n\u00f3 cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng kh\u1edfi t\u1ea1o control ExcelDataSet t\u1eeb Microsoft[.]PerformancePoint[.]Scorecards[.]Client[.]dll v\u1edbi thu\u1ed9c t\u00ednh CompressedDataTable \u0111\u01b0\u1ee3c \u0111\u1eb7t th\u00e0nh payload \u0111\u1ed9c h\u1ea1i, \u0111\u1ed3ng th\u1eddi k\u00edch ho\u1ea1t qu\u00e1 tr\u00ecnh x\u1eed l\u00fd b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng getter thu\u1ed9c t\u00ednh DataTable.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/dc852f79-5e11-45c0-9c1e-30ae76740d07\/ToolShell-img8-updated.png\" \/><\/p>\n<p>Khi xem x\u00e9t code c\u1ee7a ph\u01b0\u01a1ng th\u1ee9c getter thu\u1ed9c t\u00ednh DataTable c\u1ee7a ExcelDataSet trong Microsoft[.]PerformancePoint[.]Scorecards[.]Client[.]dll, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u t\u00ecm th\u1ea5y ph\u01b0\u01a1ng th\u1ee9c GetObjectFromCompressedBase64String, ch\u1ecbu tr\u00e1ch nhi\u1ec7m gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a n\u1ed9i dung thu\u1ed9c t\u00ednh CompressedDataTable. D\u1eef li\u1ec7u d\u01b0\u1edbi d\u1ea1ng chu\u1ed7i Base64 \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3, gi\u1ea3i n\u00e9n v\u00e0 truy\u1ec1n \u0111\u1ebfn ph\u01b0\u01a1ng th\u1ee9c BinarySerialization[.]Deserialize t\u1eeb Microsoft[.]SharePoint[.]dll.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/ae6dad28-9920-418f-9c81-87eab8afd7a1\/ToolShell-img9-1024x680.png\" \/><\/p>\n<p>K\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p n\u00e0y \u0111\u1ec3 cung c\u1ea5p m\u1ed9t DataSet \u0111\u1ed9c h\u1ea1i c\u00f3 n\u1ed9i dung \u0111\u01b0\u1ee3c gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a nh\u01b0 H\u00ecnh 9, n\u00f3 ch\u1ee9a m\u1ed9t t\u1ec7p XML v\u1edbi ph\u1ea7n t\u1eed thu\u1ed9c lo\u1ea1i nguy hi\u1ec3m \u201cSystem[.]Collections[.]Generic[.]List`1[[System.Data[.]Services[.]Internal[.]ExpandedWrapper`2[&#8230;], System[.]Data[.]Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]\u201d, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi c\u00e1c ph\u01b0\u01a1ng th\u1ee9c t\u00f9y \u00fd v\u1edbi s\u1ef1 tr\u1ee3 gi\u00fap c\u1ee7a k\u1ef9 thu\u1eadt ExpandedWrapper, nh\u1eb1m khai th\u00e1c vi\u1ec7c gi\u1ea3i tu\u1ea7n t\u1ef1 h\u00f3a XML kh\u00f4ng an to\u00e0n trong c\u00e1c \u1ee9ng d\u1ee5ng d\u1ef1a tr\u00ean .NET framework.<\/p>\n<p>Tr\u00ean th\u1ef1c t\u1ebf, \u0111i\u1ec1u n\u00e0y l\u00e0 kh\u00f4ng th\u1ec3, v\u00ec BinarySerialization[.]Deserialize trong Microsoft[.]SharePoint[.]dll s\u1eed d\u1ee5ng m\u1ed9t XmlValidator \u0111\u1eb7c bi\u1ec7t \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 b\u1ea3o v\u1ec7 ch\u1ed1ng l\u1ea1i k\u1ef9 thu\u1eadt n\u00e0y, b\u1eb1ng c\u00e1ch ki\u1ec3m tra ki\u1ec3u c\u1ee7a t\u1ea5t c\u1ea3 c\u00e1c ph\u1ea7n t\u1eed c\u00f3 trong XML \u0111\u01b0\u1ee3c cung c\u1ea5p v\u00e0 \u0111\u1ea3m b\u1ea3o r\u1eb1ng ch\u00fang n\u1eb1m trong danh s\u00e1ch c\u00e1c ki\u1ec3u \u0111\u01b0\u1ee3c cho ph\u00e9p. Tuy nhi\u00ean, l\u1ed7 h\u1ed5ng n\u00e0y bypass b\u01b0\u1edbc ki\u1ec3m tra n\u00e0y b\u1eb1ng c\u00e1ch \u0111\u01b0a \u0111\u1ed1i t\u01b0\u1ee3ng ExpandedWrapper v\u00e0o danh s\u00e1ch.<\/p>\n<p>B\u00e2y gi\u1edd, \u0111\u1ec3 t\u00ecm hi\u1ec3u l\u00fd do t\u1ea1i sao khai th\u00e1c l\u1ea1i c\u00f3 hi\u1ec7u qu\u1ea3 tr\u00ean n\u1ec1n t\u1ea3ng debug SharePoint c\u1ee7a Kaspersky, h\u00e3y c\u00f9ng xem c\u00e1ch kh\u1eafc ph\u1ee5c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt n\u00e0y. Trong b\u1ea3n v\u00e1 Patch Tuesday, Microsoft kh\u00f4ng th\u1ef1c s\u1ef1 kh\u1eafc ph\u1ee5c l\u1ed7 h\u1ed5ng m\u00e0 ch\u1ec9 gi\u1ea3m thi\u1ec3u b\u1eb1ng c\u00e1ch th\u00eam l\u1edbp AddExcelDataSetToSafeControls m\u1edbi v\u00e0o namespace Microsoft[.]SharePoint[.]Upgrade. L\u1edbp n\u00e0y ch\u1ee9a code m\u1edbi s\u1eeda \u0111\u1ed5i t\u1ec7p web[.]config v\u00e0 \u0111\u00e1nh d\u1ea5u \u00a0control Microsoft[.]PerformancePoint[.]Scorecards[.]ExcelDataSet l\u00e0 kh\u00f4ng an to\u00e0n.<\/p>\n<p>V\u00ec SharePoint kh\u00f4ng t\u1ef1 th\u1ef1c thi code n\u00e0y sau khi c\u00e0i \u0111\u1eb7t c\u00e1c b\u1ea3n c\u1eadp nh\u1eadt, n\u00ean c\u00e1ch duy nh\u1ea5t \u0111\u1ec3 \u0111\u1ea1t \u0111\u01b0\u1ee3c hi\u1ec7u qu\u1ea3 b\u1ea3o m\u1eadt l\u00e0 ch\u1ea1y th\u1ee7 c\u00f4ng n\u00e2ng c\u1ea5p c\u1ea5u h\u00ecnh b\u1eb1ng c\u00f4ng c\u1ee5 SharePoint Products Configuration Wizard. \u0110\u00e1ng ch\u00fa \u00fd, h\u01b0\u1edbng d\u1eabn b\u1ea3o m\u1eadt cho CVE-2025-49704 kh\u00f4ng \u0111\u1ec1 c\u1eadp \u0111\u1ebfn nhu c\u1ea7u th\u1ef1c hi\u1ec7n b\u01b0\u1edbc n\u00e0y, \u0111i\u1ec1u \u0111\u00f3 c\u00f3 ngh\u0129a l\u00e0 \u00edt nh\u1ea5t m\u1ed9t s\u1ed1 qu\u1ea3n tr\u1ecb vi\u00ean SharePoint c\u00f3 th\u1ec3 b\u1ecf qua n\u00f3. Trong khi \u0111\u00f3, b\u1ea5t k\u1ef3 ai \u0111\u00e3 c\u00e0i \u0111\u1eb7t b\u1ea3n c\u1eadp nh\u1eadt n\u00e0y nh\u01b0ng kh\u00f4ng th\u1ef1c hi\u1ec7n n\u00e2ng c\u1ea5p c\u1ea5u h\u00ecnh th\u1ee7 c\u00f4ng v\u1eabn c\u00f3 nguy c\u01a1 b\u1ecb t\u1ea5n c\u00f4ng.<\/p>\n<p><strong>CVE-2025-53770<\/strong><\/p>\n<p>V\u00e0o ng\u00e0y 20\/7\/2025, Microsoft \u0111\u00e3 ph\u00e1t h\u00e0nh b\u1ea3n c\u1eadp nh\u1eadt v\u1edbi b\u1ea3n v\u00e1 l\u1ed7 h\u1ed5ng CVE-2025-53770. B\u1ea3n v\u00e1 n\u00e0y gi\u1edbi thi\u1ec7u m\u1ed9t XmlValidator \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt, hi\u1ec7n c\u00f3 th\u1ec3 x\u00e1c th\u1ef1c ch\u00ednh x\u00e1c c\u00e1c ki\u1ec3u ph\u1ea7n t\u1eed trong XML, ng\u0103n ch\u1eb7n vi\u1ec7c khai th\u00e1c l\u1ed7 h\u1ed5ng m\u00e0 kh\u00f4ng c\u1ea7n n\u00e2ng c\u1ea5p c\u1ea5u h\u00ecnh, quan tr\u1ecdng h\u01a1n l\u00e0 gi\u1ea3i quy\u1ebft nguy\u00ean nh\u00e2n g\u1ed1c r\u1ec5 v\u00e0 ng\u0103n ch\u1eb7n vi\u1ec7c khai th\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y th\u00f4ng qua c\u00e1c bi\u1ec7n ph\u00e1p ki\u1ec3m so\u00e1t kh\u00e1c ngo\u00e0i Microsoft[.]PerformancePoint[.]Scorecards[.]ExcelDataSet.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/5e5c0143-e6b6-43ee-9464-c5111b69bb67\/ToolShell-img11.png\" \/><\/p>\n<p><strong>CVE-2020-1147<\/strong><\/p>\n<p>Nhi\u1ec1u nh\u00e0 nghi\u00ean c\u1ee9u quen thu\u1ed9c v\u1edbi c\u00e1c khai th\u00e1c SharePoint tr\u01b0\u1edbc \u0111\u00e2y c\u00f3 th\u1ec3 c\u1ea3m th\u1ea5y r\u1eb1ng l\u1ed7 h\u1ed5ng CVE-2025-49704, CVE-2025-53770 v\u00e0 c\u00e1c khai th\u00e1c \u0111\u01b0\u1ee3c k\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng kh\u00e1 gi\u1ed1ng v\u1edbi l\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa .NET Framework, SharePoint Server v\u00e0 Visual Studio (CVE-2020-1147). Tr\u00ean th\u1ef1c t\u1ebf, n\u1ebfu ch\u00fang ta so s\u00e1nh CVE-2020-1147 v\u00e0 CVE-2025-49704\/CVE-2025-53770, c\u00f3 th\u1ec3 th\u1ea5y r\u1eb1ng ch\u00fang g\u1ea7n nh\u01b0 gi\u1ed1ng h\u1ec7t nhau. S\u1ef1 kh\u00e1c bi\u1ec7t duy nh\u1ea5t l\u00e0 trong khai th\u00e1c cho l\u1ed7 h\u1ed5ng CVE-2025-49704\/CVE-2025-53770, \u0111\u1ed1i t\u01b0\u1ee3ng ExpandedWrapper nguy hi\u1ec3m \u0111\u01b0\u1ee3c \u0111\u1eb7t trong danh s\u00e1ch. \u0110i\u1ec1u n\u00e0y l\u00e0m cho CVE-2025-53770 c\u00f3 th\u1ec3 v\u00e1 \u0111\u01b0\u1ee3c l\u1ed7 h\u1ed5ng CVE-2020-1147.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/25dc1502-c888-48c4-a0f2-b229d5935cdc\/10(469).png\" \/><\/p>\n<p>M\u1eb7c d\u00f9 c\u00e1c b\u1ea3n v\u00e1 cho l\u1ed7 h\u1ed5ng ToolShell hi\u1ec7n \u0111\u00e3 c\u00f3 s\u1eb5n \u0111\u1ec3 tri\u1ec3n khai, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e1nh gi\u00e1 r\u1eb1ng chu\u1ed7i khai th\u00e1c n\u00e0y s\u1ebd ti\u1ebfp t\u1ee5c b\u1ecb k\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng trong m\u1ed9t th\u1eddi gian d\u00e0i. Kaspersky \u0111\u00e3 quan s\u00e1t th\u1ea5y t\u00ecnh tr\u1ea1ng t\u01b0\u01a1ng t\u1ef1 v\u1edbi c\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt kh\u00e1c, ch\u1eb3ng h\u1ea1n nh\u01b0 ProxyLogon, PrintNightmare ho\u1eb7c EternalBlue. M\u1eb7c d\u00f9 \u0111\u00e3 \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn t\u1eeb nhi\u1ec1u n\u0103m tr\u01b0\u1edbc, nhi\u1ec1u t\u00e1c nh\u00e2n \u0111e d\u1ecda v\u1eabn ti\u1ebfp t\u1ee5c l\u1ee3i d\u1ee5ng ch\u00fang trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng \u0111\u1ec3 x\u00e2m nh\u1eadp v\u00e0o c\u00e1c h\u1ec7 th\u1ed1ng ch\u01b0a \u0111\u01b0\u1ee3c v\u00e1.<\/p>\n<p>\u0110\u1ec3 \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 t\u1ed1t h\u01a1n tr\u01b0\u1edbc c\u00e1c m\u1ed1i \u0111e d\u1ecda nh\u01b0 ToolShell, c\u00e1c t\u1ed5 ch\u1ee9c n\u00ean ch\u00fa \u00fd r\u1eb1ng, t\u1ed1c \u0111\u1ed9 \u00e1p d\u1ee5ng c\u00e1c b\u1ea3n v\u00e1 b\u1ea3o m\u1eadt hi\u1ec7n nay l\u00e0 y\u1ebfu t\u1ed1 quan tr\u1ecdng nh\u1ea5t khi x\u1eed l\u00fd c\u00e1c l\u1ed7 h\u1ed5ng. V\u00ec c\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng n\u00e0y th\u01b0\u1eddng b\u1ecb khai th\u00e1c c\u00f4ng khai ngay sau khi \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1, vi\u1ec7c c\u00e0i \u0111\u1eb7t b\u1ea3n v\u00e1 c\u00e0ng s\u1edbm l\u00e0 \u0111i\u1ec1u v\u00f4 c\u00f9ng quan.<\/p>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>Gi\u1eefa th\u00e1ng 7\/2025, c\u1ed9ng \u0111\u1ed3ng an ninh m\u1ea1ng qu\u1ed1c t\u1ebf li\u00ean ti\u1ebfp ghi nh\u1eadn c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nguy hi\u1ec3m nh\u1eb1m v\u00e0o Microsoft SharePoint on-premise. \u0110i\u1ec1u \u0111\u00e1ng lo ng\u1ea1i kh\u00f4ng ch\u1ec9 n\u1eb1m \u1edf m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng c\u1ee7a c\u00e1c l\u1ed7 h\u1ed5ng, m\u00e0 c\u00f2n \u1edf th\u1ef1c t\u1ebf r\u1eb1ng nh\u1eefng h\u1ec7 th\u1ed1ng \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 v\u1eabn ti\u1ebfp [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10297","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10297"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10297\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}