A security researcher found a fresh way to exploit a recently patched deserialization bug in Microsoft SharePoint and stage remote code execution (RCE) attacks.
The flaw, a variant on an issue that was patched in February, uses the site creation features of SharePoint, Microsoft’s intranet platform, to upload and run malicious files on the server.
Many languages use serialization and deserialization to pass complex objects to servers and between processes. If the deserialization process is insecure, an adversary will be able to exploit it to send malicious objects and run them on the server.
Nguyễn Tiến Giang (Jang), a security researcher at StarLabs, found that when SharePoint servers are configured in a certain way, they will be prone to deserialization attacks that can lead to RCE.
Deserialization part deux
In a detailed blog post, Jang explains that an adversary can exploit the bug by creating a SharePoint List on the server and uploading a malicious gadget chain with the deserialization payload as a PNG attachment.
By sending a render request for the uploaded file, the attacker will trigger the bug and execute the payload on the server.
“A successful attack may give the attacker the ability to get code execution in the target server with privilege of running w3wp.exe process,” Jang told The Daily Swig, referring to the IIS worker process that runs the web application.
Fortunately, the flaw can only be exploited by authenticated adversaries and when the application is in a configuration that turned off by default.
“Luckily, this bug doesn’t exist in a SharePoint with default configuration,” Jang said. “It requires a user with ‘Create Sub-site’ privilege and the State-Service in the target server must be enabled.”
Microsoft patched the bug (CVE-2022-29108) in May’s Patch Tuesday release.
‘Old Wine, New Bottle’
Jang found the bug while analyzing CVE-2022-22005. It turned out that there was another way to trigger the same bug.
“Actually, this bug is very easy to [spot]. There was an analysis blog post about it in March. Just follow the instructions in that blog post and people can easily spot the new variant of CVE-2022-22005,” Jang said.
Jang has described the bug as “Old Wine in a New Bottle” and tweeted a meme based on this theme.
Nguyễn Đình Hoàng (hir0ot), who penned a detailed analysis of CVE-2022-22005, told The Daily Swig that there are usually two ways to fix deserialization bugs: limiting endpoints that deserialize untrusted data or using a whitelist-based type binder.
“Both are difficult to implement effectively in the real world, especially when serialization/deserialization happens in the core protocol, framework, or application that was developed so many years ago,” hir0ot said.
“And the fix also must not impact the functional working of the application. Any fix can easily lead to a bug.”