I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a no!). I began to like it more and more just by looking at the generated payloads, and then by reading its useful references. It even answered one of the questions that I always had in mind: “How can ViewState or EventValidation without MAC enabled lead to remote code execution?“; the answer was simple: “deserialization attacks using ObjectStateFormatter or LosFormatter”. I know I was late to the party but as the attack surface is huge, I managed to exploit a number applications including SharePoint without really having deep knowledge in this area.
As mentioned in the MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online post, I managed to exploit two RCEs in SharePoint Workflows that also affected SharePoint on-prem versions. Therefore, in addition to having a good bounty for the online version, I managed to get two CVEs in .NET Framework (CVE-2018-8284 and CVE-2018-8421).
Details of these vulnerabilities were published in NCC Group’s website as can be seen here:
The first one was a logical issue in the Workflows. This was the one with the epic Microsoft’s response:
The second one however was a deserialisation issue that was not fully exploited on SharePoint until after the advisory was published. Here is the short story:
Which was shortly followed by a fully working exploit thanks to Alvaro’s tip:
It should be noted that Microsoft had already given me the maximum bounty that is for an RCE issue even for the second one.
Finally, 2018 was a good year for me on SharePoint finding 3 RCEs in it. If you are wondering what the third one was, the clue is in the ASP.NET resource files (.RESX) and deserialization issues post. I did not receive any bounty for it despite having a reverse shell on the Microsoft SharePoint Online server due to an ongoing engagement my company (NCC Group) had with them at the same time (unlucky me but I was lucky enough to be compensated by my company as they recognised my efforts).
I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.
I had also created a SQL injection challenge for my Twitter followers before the talk but the solution can be seen below (from Twitter):
As some people couldn't quite solve the CTF (https://t.co/g0wZBAfsMc) using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited – I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-) pic.twitter.com/qEkOxKJZhP
Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.
This issue was partially patched in July 2017 (CVE-2017-8572). According to the Microsoft Security Response Center (MSRC), CVE-2017-11927 that was released in December 2017 had also patched a number of payloads. This patch was updated in May 2018 to address the remaining issues that were mentioned in this report.