Do not use insecure deserializer BinaryFormatter – 19th Aug 2020

Preface: SharePoint is a web-based collaborative platform that integrates with Microsoft Office.So called WebParts”gadgets” that provide new functionality when added to a page.

Background: On July 14, 2020, Microsoft released a security update to fix the vulnerabilities found in the .NET Framework, Microsoft SharePoint and Visual Studio. A proof of concept shown that attacker can use tool so called “YSOSERIAL” . This tool can generating payloads that exploit unsafe Java object deserialization. In the sense that when attack make use of tool find the class contains no interface members. From technical point of view, the attacker will use the tool in the first step to find classes that do not contain interface members.The way is to generate a base64 payload of a serialized ObjectStateFormatter gadget chain.As a result, attacker can plug the payload into the following DataSet gadget and trigger remote code execution against the target SharePoint Server.

Example: xxxxxxxxx[.]xxx -g TypeConfuseDelegate -f LosFormatter -c mspaint

Remark: ysoserial is a collection of utilities and property-oriented programming “gadget chains” discovered in common java libraries that can, under the right conditions, exploit Java applications performing unsafe deserialization of objects.

Reference: A specially crafted method sequence needs to be created by the attacker. Each method in the sequence is called a “gadget” and the malicious sequence of method calls is known as a “gadget chain”.

Official announcement: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.