I have recently published a whitepaper and a blog post as part of work research in NCC Group’s website. A number of plugins have also been added to the ysoserial.net project.
In the blog post, I have also explained one of the most interesting findings of the research with which code could be executed upon pasting an object from the clipboard:
I thought I should document this whilst we are still in 2018…
We used to have Top 10 Web Hacking Techniques every year but it suddenly stopped! After having a private conversation with James Kettle in Twitter, he decided to stand up for this and PortSwigger (the company behind Burp Suite) kindly supported it. The full story can be read here: Top 10 Web Hacking Techniques of 2017 – Nominations Open
I was lucky enough to be on the voting panel despite having a nomination (I couldn’t vote for myself obviously). In the end, I felt honoured that my request encoding technique to bypass WAFs came in the Top 10 2017 (#8 to be exact). There were seriously good research works and I recommend you to check them out: Top 10 Web Hacking Techniques of 2017
I have always tried to share with the AppSec community as that also enable me to learn more by reading other people’s work or research. The last time I was on the Top 10 was 2009 for the IIS semicolon bug (remember file.asp;.txt bypass technique on IIS6?) so good to be back (#6): Top Ten Web Hacking Techniques of 2009 (Official)
The verdict is in! Following a community vote and extensive deliberation, our expert panel has selected the Top 10 Web Hacking Techniques of 2017 https://t.co/PA2p5qGcjG
Although there has always been discussions on the type of submissions such as techniques vs one time vulnerabilities as well as voting patterns, having a list of web related submissions is always useful and we now have it for 2017!
I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a no!). I began to like it more and more just by looking at the generated payloads, and then by reading its useful references. It even answered one of the questions that I always had in mind: “How can ViewState or EventValidation without MAC enabled lead to remote code execution?“; the answer was simple: “deserialization attacks using ObjectStateFormatter or LosFormatter”. I know I was late to the party but as the attack surface is huge, I managed to exploit a number applications including SharePoint without really having deep knowledge in this area.
As mentioned in the MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online post, I managed to exploit two RCEs in SharePoint Workflows that also affected SharePoint on-prem versions. Therefore, in addition to having a good bounty for the online version, I managed to get two CVEs in .NET Framework (CVE-2018-8284 and CVE-2018-8421).
Details of these vulnerabilities were published in NCC Group’s website as can be seen here:
The second one however was a deserialisation issue that was not fully exploited on SharePoint until after the advisory was published. Here is the short story:
If only there were some bounty left for a working RCE exploit …
It should be noted that Microsoft had already given me the maximum bounty that is for an RCE issue even for the second one.
Finally, 2018 was a good year for me on SharePoint finding 3 RCEs in it. If you are wondering what the third one was, the clue is in the ASP.NET resource files (.RESX) and deserialization issues post. I did not receive any bounty for it despite having a reverse shell on the Microsoft SharePoint Online server due to an ongoing engagement my company (NCC Group) had with them at the same time (unlucky me but I was lucky enough to be compensated by my company as they recognised my efforts).