Critical SharePoint RCE Vulnerability Exploited via Malicious XML in Web Part

A critical remote code execution vulnerability has been discovered in Microsoft SharePoint’s WebPart properties deserialization mechanism, allowing authenticated attackers to execute arbitrary code on SharePoint servers.

The vulnerability, which affects multiple SharePoint versions including 15.0.5145.1000, exploits unsafe deserialization practices in the SPObjectStateFormatter class and has already been patched by Microsoft, though the specific CVE number remains unknown.

Vulnerability Discovery and Attack Vector

Security researcher Khoadha uncovered this vulnerability by accident while analyzing SharePoint’s WebPart control parsing process.

The vulnerability lies in the deserialization process of WebPart properties, specifically within the control parsing mechanism that processes XML content embedded in WebPart controls.

The attack begins when malicious content is added inside a WebPart control, triggering a chain of method calls starting from Microsoft.SharePoint.WebPartPages.WebPart.AddParsedSubObject() and culminating in unsafe deserialization through Microsoft.SharePoint.WebPartPages.Utility.DeserializeStringToObject().

The vulnerability can be exploited by inserting arbitrary HTML content or strings within WebPart controls, such as:

xml<WebPartPages:XmlWebPart ID="SPWebPartManager" runat="Server"> 
<sometag>some content</sometag>
</WebPartPages:XmlWebPart>

This triggers the AddParsedSubObject() method to process the LiteralControl text and parse it as XML, eventually leading to the vulnerable deserialization path.

Technical Analysis of Exploitation Path

The exploitation process follows a specific call stack that begins with WebPart control parsing and ends in binary deserialization.

When SharePoint processes the WebPart XML, it calls ParseXml() which deserializes the WebPart type using XmlSerializer, followed by DoPostDeserializationTasks() which eventually reaches the vulnerable GetAttachedProperties() method.

Within this method, SharePoint deserializes the _serializedAttachedPropertiesShared field using the SPObjectStateFormatter class, which internally relies on BinaryFormatter for deserialization.

The critical security flaw lies in the SPSerializationBinder’s IsAllowedType() method, which permits binary deserialization of any class listed in SafeControls.

This includes the exploitable Microsoft.SharePoint.ApplicationPages.SPThemes class, which inherits from DataSet and implements a serialization constructor that can be leveraged for remote code execution.

The AttachedPropertiesShared element in the WebPart XML can be set during deserialization, allowing attackers to inject malicious serialized payloads.

Proof of Concept and Mitigation

Attackers can exploit this vulnerability by crafting malicious WebPart XML containing Base64-encoded serialized payloads in the AttachedPropertiesShared parameter.

The proof of concept involves using tools like ysoserial to generate malicious DataSet payloads, modifying them to use the SPThemes class, and embedding them in WebPart XML.

The attack can be delivered through SharePoint’s webpartpages.asmx endpoint using the ConvertWebPartFormat SOAP action:

xml<WebPartPages:XmlWebPart ID="SPWebPartManager" runat="Server">
    <WebPart xmlns="http://schemas.microsoft.com/WebPart/v2">
        <AttachedPropertiesShared>/wEWABANANA...</AttachedPropertiesShared>
    </WebPart>
</WebPartPages:XmlWebPart>

Microsoft has addressed this vulnerability in recent security updates, though the specific patch details and CVE assignment remain unclear.

Organizations running affected SharePoint versions should immediately apply available security updates and review their WebPart configurations to prevent exploitation of this critical deserialization flaw.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates

The post Critical SharePoint RCE Vulnerability Exploited via Malicious XML in Web Part appeared first on Cyber Security News.