Headline
SharePoint RCE bug resurfaces three months after being patched by Microsoft
Deserialization vulnerabilities are hard to fix
Ben Dickson 16 May 2022 at 13:38 UTC
Deserialization vulnerabilities are hard to fix
A security researcher found a fresh way to exploit a recently patched deserialization bug in Microsoft SharePoint and stage remote code execution (RCE) attacks.
The flaw, a variant on an issue that was patched in February, uses the site creation features of SharePoint, Microsoft’s intranet platform, to upload and run malicious files on the server.
Many languages use serialization and deserialization to pass complex objects to servers and between processes. If the deserialization process is insecure, an adversary will be able to exploit it to send malicious objects and run them on the server.
Nguyễn Tiến Giang (Jang), a security researcher at StarLabs, found that when SharePoint servers are configured in a certain way, they will be prone to deserialization attacks that can lead to RCE.
Deserialization part deux
In a detailed blog post, Jang explains that an adversary can exploit the bug by creating a SharePoint List on the server and uploading a malicious gadget chain with the deserialization payload as a PNG attachment.
By sending a render request for the uploaded file, the attacker will trigger the bug and execute the payload on the server.
“A successful attack may give the attacker the ability to get code execution in the target server with privilege of running w3wp.exe process,” Jang told The Daily Swig, referring to the IIS worker process that runs the web application.
YOU MAY ALSO LIKE Brace of Icinga web vulnerabilities ‘easily chained’ to hack IT monitoring software
Fortunately, the flaw can only be exploited by authenticated adversaries and when the application is in a configuration that turned off by default.
“Luckily, this bug doesn’t exist in a SharePoint with default configuration,” Jang said. “It requires a user with ‘Create Sub-site’ privilege and the State-Service in the target server must be enabled.”
Microsoft patched the bug (CVE-2022-29108) in May’s Patch Tuesday release.
‘Old Wine, New Bottle’
Jang found the bug while analyzing CVE-2022-22005. It turned out that there was another way to trigger the same bug.
“Actually, this bug is very easy to [spot]. There was an analysis blog post about it in March. Just follow the instructions in that blog post and people can easily spot the new variant of CVE-2022-22005,” Jang said.
Catch up with the latest Microsoft security news
Jang has described the bug as “Old Wine in a New Bottle” and tweeted a meme based on this theme.
Nguyễn Đình Hoàng (hir0ot), who penned a detailed analysis of CVE-2022-22005, told The Daily Swig that there are usually two ways to fix deserialization bugs: limiting endpoints that deserialize untrusted data or using a whitelist-based type binder.
“Both are difficult to implement effectively in the real world, especially when serialization/deserialization happens in the core protocol, framework, or application that was developed so many years ago,” hir0ot said.
“And the fix also must not impact the functional working of the application. Any fix can easily lead to a bug.”
RECOMMENDED Marcus Hutchins on WannaCry – ‘Still to this day it feels like it was all a weird dream’
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Microsoft's May 2022 Patch Tuesday contains several bugs in ubiquitous software that could affect millions of machines, researchers warn.
Microsoft SharePoint Server Remote Code Execution Vulnerability.
By Jon Munshaw, with contributions from Jaeson Schultz. Microsoft returned to its normal monthly patching volume in May, disclosing and fixing 74 vulnerabilities as part of the company’s latest security update. This month’s Patch Tuesday includes seven critical vulnerabilities after Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]