A recently disclosed remote code execution (RCE) vulnerability in Microsoft SharePoint has been identified, stemming from the deserialization process of WebPart properties. This flaw allows attackers to execute arbitrary code by embedding malicious XML payloads within SharePoint Web Parts, potentially compromising entire SharePoint environments.
Key Takeaways:
1. Malicious XML in SharePoint WebParts can trigger RCE.
2. Unsafe deserialization permits exploitation of the SPThemes DataSet constructor.
3. Crafted payloads are sent via the webpartpages.asmx endpoint.
This critical vulnerability has been patched, but it remains a significant concern for organizations operating vulnerable SharePoint instances.
Understanding the SharePoint WebPart Vulnerability
According to a report by Viettel Security, the vulnerability originates in the SharePoint WebPart control parsing mechanism, specifically within the `Microsoft.SharePoint.WebPartPages.WebPart.AddParsedSubObject()` method. The attack chain follows a complex deserialization path through multiple SharePoint components, ultimately reaching the vulnerable `Microsoft.SharePoint.WebPartPages.Utility.DeserializeStringToObject()` function.
Exploitation Process:
1. Injection of Malicious Content: Attackers inject malicious content into WebPart controls using a specific XML structure.
2. Processing by SharePoint: When SharePoint processes this input, the `AddParsedSubObject()` method extracts the `LiteralControl` text and passes it to `ParseXml()` for deserialization.
3. Deserialization Path: This process involves the `XmlSerializer` and subsequently triggers the `DoPostDeserializationTasks()` method, creating a pathway for malicious code execution.
The core vulnerability lies in the `GetAttachedProperties()` method, where SharePoint deserializes the `_serializedAttachedPropertiesShared` field using the `SPSerializationBinder`. This component allows binary deserialization of any class within SharePoint’s SafeControls, creating a significant security gap.
Technical Details:
Attackers can exploit this by targeting the `Microsoft.SharePoint.ApplicationPages.SPThemes` class, which implements `DataSet` and utilizes unsafe serialization constructors. The exploitation involves crafting a malicious payload using the `AttachedPropertiesShared` element within the WebPart XML structure.
Mitigation Strategies:
The vulnerability affects SharePoint version 15.0.5145.1000 and may also impact other versions. Successful exploitation grants attackers remote code execution capabilities within the SharePoint application context, potentially leading to complete system compromise.
Recommended Actions:
1. Apply Security Updates: Organizations should immediately apply the latest SharePoint security updates to address this vulnerability.
2. Implement Input Validation: Enforce strict input validation for WebPart content to prevent malicious payloads from being processed.
3. Network Segmentation: Segment networks to limit the exposure of SharePoint servers and monitor SharePoint web service endpoints for suspicious activity.
This vulnerability underscores the critical importance of secure deserialization practices in enterprise applications and the need for comprehensive security reviews of complex application frameworks like SharePoint.
