Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sharepoint workflows are mini-applications that can be used to streamline and automate several business processes. An organization can use workflows to attach business logic to documents or items in a SharePoint.

The Workflow Foundation runs workflows only when all of the types are authorization in the authorizedTypes list, which is found in the web.config file for ASP.net. Alongside this allowlist, are a specific list of denied types from allowed namespaces that are known to be dangerous, such as the System.Workflow.ComponentModel.Compiler option. The post is finding a way to circumvent this allowlist and denylist.

The Compile() function is offered by the WorkflowCompiler for building applications, based on specific parameters. But, this allowed namespace is heavily locked down via the denylist for the types that can be used within it. Since denylists are hard to get right, is there a way around this?

The bulk of the WorkflowCompiler functionality is implemented within WorkflowCompilerInternal. The WorkflowCompilerInternal code does not have the same denylist as the other one and is implicitly allowed via another option in the list. This means that we can access the bulk of the WorkflowCompiler functionality through the internal version!

The Compile operation can be directly called via the WorkflowCompilerInternal function. Using this function, code can be compiled without the specific restrictions, allowing for arbitrary code to be ran without a workflow on the server. The full POC and walkthrough of the exploit are in the article.

Denylisting is really hard to do! If you do not think of every possible necessary that could be abused, then it is vulnerable to attack. I bet we will see some bypasses for how this works in the future!