HighProventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This event indicates the transfer of an XML SOAP document which may result in code execution on a SharePoint server.
High
Proventia Network IPS: XPU 30.120, Proventia Desktop: 2590, RealSecure Server Sensor: XPU 30.120, RealSecure Network: XPU 30.120, Proventia Network IDS: XPU 30.120, Proventia-G 1.1 and earlier: XPU 30.120, Proventia Network MFS: XPU 30.120, IBM Security Server Protection for Windows: 2.1.14.2590, Virtual Server Protection for Vmware: XPU 30.120, Proventia Server IPS for Linux technology: 30.120
Microsoft SharePoint Server: 2007 SP2 x32, Microsoft SharePoint Server: 2007 SP2 x64
Unauthorized Access Attempt
Microsoft Sharepoint could allow a remote attacker to execute arbitrary code on the system, caused by the improper validation of SOAP requests by the Document Conversions Launcher Service. By sending a specially-crafted SOAP request, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-104. See References.
Microsoft Security Bulletin MS10-104
Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)
http://www.microsoft.com/technet/security/bulletin/ms10-104.mspx
ZDI-10-287
Microsoft SharePoint Server Arbitrary File Upload Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-287
ISS X-Force
Microsoft Sharepoint SOAP code execution
http://www.iss.net/security_center/static/63545.php
CVE
CVE-2010-3964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3964