Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system for teams.

The vulnerability occurs because is insufficient input validation. The EditingPageParser uses an allowlist for specific control options while creating a site. The safe controls must be defined in the web.config file in order to be used.

When parsing to see if one of the directives is allowed, it creates a hashmap of all the valid server controls. If the type cannot be resolved, then it simply ignores the verification and does not check it against the allowlist. Under normal circumstances, this optimization makes sense.

Here is where the vulnerability comes into play: there is an inconsistency between the validation and parser. The validation does NOT trim a space at the end while the parser does. Because of this, something like Namespace="System.Web.UI.WebControls " (note the trailing space), will not be resolved in the validation stage but will be found in the execution stage.

By calling an abusable function, arbitrary code can be ran on the server. An example would be to call the System.Web.UI.WebControls.XmlDataSource function. In the POC, several small things had to be done in order to get code execution on the server, but it's not the most important thing to go through because the security is in the allowlist, which has been bypassed.

Validation vs. usage bugs are a fascinating class of vulnerabilities that have plagued the world for a long time. As we move to safer languages (away from C and C++), these types of logic bugs will become more and more common.