In recent cybersecurity developments, attackers have been leveraging deserialization vulnerabilities within Microsoft SharePoint to extract Internet Information Services (IIS) Machine Keys. This sophisticated method enables adversaries to bypass security protocols, forge trusted data, and establish persistent remote code execution (RCE) capabilities on compromised servers.
Understanding the Attack Mechanism
The attack initiates with the exploitation of a known deserialization vulnerability in SharePoint. Deserialization vulnerabilities occur when untrusted data is processed to reconstruct objects, potentially allowing malicious code execution. In this scenario, attackers exploit such a vulnerability to execute arbitrary commands on the SharePoint server.
Upon gaining initial access, the attackers upload a malicious ASPX file to the server. Unlike traditional malware, this file’s primary function is to extract the server’s IIS Machine Key. The IIS Machine Key is a critical cryptographic component in ASP.NET applications, responsible for encrypting and validating sensitive data such as VIEWSTATE, cookies, and session information. VIEWSTATE is a mechanism used to preserve the state of a web page between user interactions, relying on the Machine Key for its security.
Methods of Machine Key Extraction
The method of extracting the Machine Key depends on how it is stored within the server environment:
1. Plain Text Storage in `web.config`: In many server farms, administrators store the Machine Key in plain text within the `web.config` file to facilitate synchronization across servers. If an attacker gains file-read access, they can simply retrieve the key from this file.
2. Registry Storage with Auto-Generated Keys: By default, IIS auto-generates the Machine Key and stores it in the Windows Registry. While this method is more secure, the initial SharePoint exploit provides attackers with sufficient privileges to execute scripts capable of reading the key directly from the Registry.
Implications of Machine Key Compromise
Once in possession of the Machine Key, attackers can craft malicious VIEWSTATE objects containing RCE payloads. Tools like `ysoserial.net` can be used to generate these payloads, which are then signed with the legitimate Machine Key. When such a payload is sent to any ASPX page within the application, the IIS server, trusting the signature, deserializes the object and executes the embedded code. This process grants the attacker a persistent backdoor into the server, allowing for continuous unauthorized access and control.
Notably, the malicious VIEWSTATE can be sent to any ASPX page within the application, not just the originally vulnerable one, and the access persists even after server reboots.
Recommendations for Mitigation
To mitigate the risks associated with this attack vector, administrators are urged to take the following actions:
1. Regenerate Compromised Machine Keys: If a server has experienced any form of unauthorized code execution, its Machine Key should be considered compromised. Administrators should manually regenerate the Machine Key to prevent further exploitation.
2. Monitor for Unauthorized Access: Security teams should monitor Windows Application event logs for Event Code 4009, which indicates a VIEWSTATE verification failure. This event serves as a strong indicator that an attacker is attempting to exploit the deserialization process with a forged payload.
3. Secure Machine Key Storage: Avoid storing Machine Keys in plain text within configuration files. Instead, utilize secure storage mechanisms and ensure that access controls are in place to protect these critical components.
4. Apply Security Patches: Regularly update SharePoint and IIS servers with the latest security patches to address known vulnerabilities and reduce the attack surface.
5. Implement Least Privilege Access: Restrict permissions to the minimum necessary for users and services, thereby limiting the potential impact of a compromised account or service.
Conclusion
The exploitation of SharePoint deserialization vulnerabilities to steal IIS Machine Keys represents a significant threat to the security of web applications. By understanding the attack vectors and implementing robust security measures, organizations can protect their systems from such sophisticated attacks and ensure the integrity of their web applications.
