Story of my two (but actually three) RCEs in SharePoint in 2018

I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a no!). I began to like it more and more just by looking at the generated payloads, and then by reading its useful references. It even answered one of the questions that I always had in mind: “How can ViewState or EventValidation without MAC enabled lead to remote code execution?“; the answer was simple: “deserialization attacks using ObjectStateFormatter or LosFormatter”. I know I was late to the party but as the attack surface is huge, I managed to exploit a number applications including SharePoint without really having deep knowledge in this area. 

As mentioned in the MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online post, I managed to exploit two RCEs in SharePoint Workflows that also affected SharePoint on-prem versions. Therefore, in addition to having a good bounty for the online version, I managed to get two CVEs in .NET Framework (CVE-2018-8284 and CVE-2018-8421).

Details of these vulnerabilities were published in NCC Group’s website as can be seen here:

  1. Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint (view PDF)
  2. Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data (view PDF)

The first one was a logical issue in the Workflows. This was the one with the epic Microsoft’s response:

The second one however was a deserialisation issue that was not fully exploited on SharePoint until after the advisory was published. Here is the short story:

Which was shortly followed by a fully working exploit thanks to Alvaro’s tip:

It should be noted that Microsoft had already given me the maximum bounty that is for an RCE issue even for the second one.

Finally, 2018 was a good year for me on SharePoint finding 3 RCEs in it. If you are wondering what the third one was, the clue is in the ASP.NET resource files (.RESX) and deserialization issues post. I did not receive any bounty for it despite having a reverse shell on the Microsoft SharePoint Online server due to an ongoing engagement my company (NCC Group) had with them at the same time (unlucky me but I was lucky enough to be compensated by my company as they recognised my efforts).