Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The first vulnerability that the author found was a deserialization vulnerability. In SharePoint, there is arbitrary deserialization of DataSet and DataTable in some functions. Because DataSet is a well-known gadget in ysoserial, Microsoft has a filtering mechanism. It will strip out all other serialization information except for XmlSchema and XmlDiffGram.

The type validation doesn't allow for anything besides a simple type allowlist. However, this validation doesn't work on nested types, such as a type within an array. This allows for bypassing the allowlist check and getting RCE via known deserialization bugs. This attack requires authentication. So, the author started looking for ways to trigger this functionality without auth. SharePoint appears to have generalized auth, and page-level auth to circumvent.

It's possible to trigger simple ToolPane functionality to reach this. First, if the Referrer is set to a specific value, then it bypasses authentication. Next, they need to trigger the vulnerability prior to the page verificatoin from occuring on the Load() event. Byb combining the usage of ToolPane and SPWebPartManager, an attacker can force SharePoint to trigger the vulnerable code prior to the full ASP.NET lifecycle taking place. All of this was just reverse-engineering the application and seeing which paths could be hit.

The rest of the blog post is slightly hard to follow. Regardless, it's an interesting look into the ASP.NET and SharePoint security world. The bug is super impactful and a cool Pwn2Own entry.