Lately I have only published blog posts through the MDSec website. I thought it might be a good idea to link what I have published so far here as well:
COVID-19 has sadly affected many if not all of us. I hope everyone remains safe and we can all carry on the normal life we had before this crisis. Hopefully I can then publish more blog posts here as well.
I became interested in looking at .NET deserialization issues in Jan. 2018 when a work colleague (Daniele Costa) asked me whether I had worked with the ysoserial.net tool before (and the answer was a no!). I began to like it more and more just by looking at the generated payloads, and then by reading its useful references. It even answered one of the questions that I always had in mind: “How can ViewState or EventValidation without MAC enabled lead to remote code execution?“; the answer was simple: “deserialization attacks using ObjectStateFormatter or LosFormatter”. I know I was late to the party but as the attack surface is huge, I managed to exploit a number applications including SharePoint without really having deep knowledge in this area.
As mentioned in the MS 2018 Q4 – Top 5 Bounty Hunter for 2 RCEs in SharePoint Online post, I managed to exploit two RCEs in SharePoint Workflows that also affected SharePoint on-prem versions. Therefore, in addition to having a good bounty for the online version, I managed to get two CVEs in .NET Framework (CVE-2018-8284 and CVE-2018-8421).
Details of these vulnerabilities were published in NCC Group’s website as can be seen here:
The second one however was a deserialisation issue that was not fully exploited on SharePoint until after the advisory was published. Here is the short story:
If only there were some bounty left for a working RCE exploit …
It should be noted that Microsoft had already given me the maximum bounty that is for an RCE issue even for the second one.
Finally, 2018 was a good year for me on SharePoint finding 3 RCEs in it. If you are wondering what the third one was, the clue is in the ASP.NET resource files (.RESX) and deserialization issues post. I did not receive any bounty for it despite having a reverse shell on the Microsoft SharePoint Online server due to an ongoing engagement my company (NCC Group) had with them at the same time (unlucky me but I was lucky enough to be compensated by my company as they recognised my efforts).
Although I am not doing active bug bounty hunting at the moment, this was a great experience. I got this prize because of reporting two RCEs in SharePoint Online.
One of the RCEs was patched in MS July 2018 patch (CVE-2018-8284) and this was an interesting screenshot:
I did not get any prize for CVE-2018-8300 which was another RCE in SharePoint using the resource files (the issue was similar to a bug reported in another MS project that I was part of its paid engagement).