About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A Replay-Style Deserialization Attack Against SharePoint - 422

Simon Zuckerbraun - ZDIPosted 5 Years Ago
  • Microsoft Sharepoint is a product that integrates with the rest of the office suite, including Word. It is very common at the enterprise-level for Microsoft houses.
  • A replay attack is about taking a legitimate message and using it again. The idea is that the message is authorized for the one action but this does not prevent usage from an attacker once it has been seen.
  • Another attack is insecure deserialization. Within complicated applications, it is common to receive or process serialized objects. These objects can be code, integers or anything else. Sometimes, the process of deserializing this can lead to code execution.
  • Sharepoint had a deserialization in the code for specific non-user controlled objects. However, the serialized data is not directly controlled by an attacker. If we could trick the system to use our input for this state functionality, we would have easy code execution.
  • The session state and stored file information are stored in serialized formats. By abusing this fact, we may be able to trick Sharepoint to deserialize the stored file information as the session by changing an identifier.
  • The steps in the article are sort of confusing... but, the idea is we can trick the application to follow the insecure deserialization path for the session handling with the file functionality. By making this happen, we can get code execution with our user controlled data.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed