A serious security flaw was discovered in Microsoft SharePoint, allowing the verified attacker to remotely execute code by taking advantage of the WebPart processing mechanism. The problem lies in an unsafe sequential process in the system, through which the bad guys can insert malicious code into the embedded XML content in WebPart. Microsoft has released the patch, however the specific CVE identifier has yet to be announced.

SharePoint.png

The vulnerability stems from the way SharePoint handles WebPart controls containing XML content. When a WebPart is inserted into the page, the system automatically analyzes and resolves the internal attributes sequentially. The weakness is in class. SPObjectStateFormatter, where sequential data solving is performed without strictly limiting the type of object being processed. If malicious XML content is inserted into WebPart, the system inadvertently triggers a sequence of methods that results in unsafe sequential data deconvolution. This is the key link that will allow the attacker to execute arbitrary code on the SharePoint server.

Upon receiving a WebPart, SharePoint processes the XML content inside by sequentially calling methods of analysis and sequential resolution. In this sequence, steps such as DoPostDeserializationTasks And especially GetAttachedProperties plays a key role. Here, the property _serializedAttachedPropertiesShared solved sequentially through class SPObjectStateFormatter. Data Type Control Component SPSerializationBinder allows all classes declared in the SafeControls list to be accepted. This includes the SPTheme class, an object that can execute code during initialization, facilitating attackers to control the system.

Taking advantage of the weakness in sequential solving, the attacker can create a malicious binary payload, encoded as Base64, and embedded directly into WebPart’s XML. When sent to the SharePoint server via the SOAP interface, this payload forces the system to automatically process and activate malicious code. The creation of payloads is not technically demanding, just using tools such as ysoserial to generate fake payload as DataSet, then adjusting to take advantage of the SPTheme class for remote code execution.

Organizations using SharePoint need to urgently implement the latest security updates, while reviewing all WebPart’s capabilities to receive XML content from users. With its poorly controlled data processing mechanism and the possibility of being taken advantage of to execute code remotely, this vulnerability poses serious risks to the internal environment. Deserialization has long been a familiar weakness in many corporate systems, and SharePoint once again shows why it needs to be closely monitored.

According to Cyber Press