Category Archives: My Advisories

Soroush Dalili’s Security Advisories

My MDSec Blog Posts so far in 2020!

Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well:

Covert Web Shells in .NET with Read-Only Web Paths

Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET

Introducing YSoSerial.Net April 2020 Improvements

A Security Review of SharePoint Site Pages

CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)

Code injection in Workflows leading to SharePoint RCE (CVE-2020-0646)

COVID-19 has sadly affected many if not all of us. I hope everyone remains safe and we can all carry on the normal life we had before this crisis. Hopefully I can then publish more blog posts here as well.

More research on .NET deserialization

I have recently published a whitepaper and a blog post as part of work research in NCC Group’s website. A number of plugins have also been added to the ysoserial.net project.

The whitepaper can aid security researchers as well as developers to find more deserialisation issues in .NET applications by identifying built-in methods or classes that can be abused in this process. The whitepaper can be downloaded from: https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf

In the blog post, I have also explained one of the most interesting findings of the research with which code could be executed upon pasting an object from the clipboard:

New blog: Beware of Deserialisation in .NET Methods and Classes + Code Execution via Paste!https://t.co/kHCEAXAo7H #Deserialisation #.NET #CodeExecution #Infosec pic.twitter.com/lRMECzCEHJ
— NCC Group Infosec (@NCCGroupInfosec) December 17, 2018

ASP.NET resource files (.RESX) and deserialization issues

I have recently published a blog post via NCC Group’s website about the deserialization issue by abusing the ASP.NET resource files (.resx and .resources extensions). A number of products were exploited and some file uploaders can also be vulnerable to this type of attack.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

PDF version of the blog post published by NCC Group can be downloaded from:

https://soroush.secproject.com/downloadable/aspnet_resource_files_resx_deserialization_issues.pdf

In addition to this, the advisories can be seen via:

Code Execution by Unsafe Resource Handling in Multiple Microsoft Products: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-unsafe-resource-handling-in-multiple-microsoft-products/

Code Execution by Viewing Resource Files in .NET Reflector: https://www.nccgroup.trust/uk/our-research/technical-advisory-code-execution-by-viewing-resource-files-in-net-reflector/

I had also reported the same vulnerability in Telerik justDecompile and JetBrains dotPeek:

https://blog.jetbrains.com/dotnet/2018/08/02/resharper-ultimate-2018-1-4-rider-2018-1-4-released/

https://www.telerik.com/support/whats-new/justdecompile/release-history/justdecompile-r2-2018-sp1

Relevant tweets about this:

A new @NCCGroupInfosec blog post: RCE using ASPNET resource files and deserialization + Attacking insecure file uploaders on IIS using .RESX or .RESOURCES files: https://t.co/nD0l0bqEbN #Deserialization #AppSec #BugHunting #BugBounty #ASPNET pic.twitter.com/S7qsbkAxMX

— Soroush Dalili (@irsdl) August 2, 2018

+ Code Execution by Unsafe Resource Handling in Multiple Microsoft Products https://t.co/hWXTukNxTd

— Soroush Dalili (@irsdl) August 2, 2018

+ Code Execution by Viewing Resource Files in .NET Reflector https://t.co/mSKcnrWsdr pic.twitter.com/qh9ijai5jp

— Soroush Dalili (@irsdl) August 2, 2018

MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online

I was amongst top 5 bounty hunters in MS Q4 2018: https://blogs.technet.microsoft.com/msrc/2018/07/26/recognizing-q4-top-5-bounty-hunters/

Although I am not doing active bug bounty hunting at the moment, this was a great experience. I got this prize because of reporting two RCEs in SharePoint Online.

One of the RCEs was patched in MS July 2018 patch (CVE-2018-8284) and this was an interesting screenshot:

July2018 MS patch (https://t.co/9kY0AVkI4O) is very important for SharePoint. Not talking about CVE-2018-8300 btw. A low priv authenticated user could exploit it. See the novel way of contacting me upon a rev shell attempt by @MSwannMSFT – CCed @msftsecresponse @NCCGroupInfosec pic.twitter.com/2G6NA1G6X4

— Soroush Dalili (@irsdl) July 19, 2018

I did not get any prize for CVE-2018-8300 which was another RCE in SharePoint using the resource files (the issue was similar to a bug reported in another MS project that I was part of its paid engagement).

SMB hash hijacking & user tracking in MS Outlook

Microsoft (MS) Outlook could be abused to send SMB handshakes externally after a victim opened or simply viewed an email. A WebDAV request was sent even when the SMB port was blocked. This could be used to crack a victim’s password when the SMB hash was sent externally, or to receive a notification when an email had been viewed by a victim.

This issue was partially patched in July 2017 (CVE-2017-8572). According to the Microsoft Security Response Center (MSRC), CVE-2017-11927 that was released in December 2017 had also patched a number of payloads. This patch was updated in May 2018 to address the remaining issues that were mentioned in this report.

The full article can be viewed in NCC Group’s website: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/smb-hash-hijacking-and-user-tracking-in-ms-outlook/

The GitHub project is accessible at https://github.com/nccgroup/OutlookLeakTest.