Shulou(Shulou.com)05/31 Report--

This article shows you how to perform tasks on Microsoft SharePoint through BDC deserialization. The content is concise and easy to understand. It will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Details of the vulnerability

This vulnerability lies in the business data (BDC) connection service in Microsoft SharePoint. Because any method parameter type can be used in the custom BDC model, the business data connection (BDC) service in Microsoft SharePoint 2016 is vulnerable to arbitrary deserialization of XmlSerializer streams. Morning

SharePoint allows you to specify custom BDC models using the Business data connection Model File format (MS-BDCMFFS) data format, which is part of the specification for method and parameter definitions. Here is a sample provided by Microsoft:

The above code defines a method called GetCustomer, which encapsulates a program called sp_GetCustomer, and both input parameters (Direction= "In") and return parameters (Direction= "Return") are defined using descriptions of their respective types.

In the above sample, the original type of the input parameter is System.Int32, which is not a big problem. However, if the defined BDC model parameter type is Microsoft.BusinessData.Runtime.DynamicType, there will be a problem. The advantage of this scenario is that it allows developers the flexibility to pass different types of values through this parameter, but the downside is that arbitrary XmlSerializer streams are provided to deserialized callers.

Vulnerability exploitation

Our test equipment is Microsoft SharePoint Server 2016, and KB4464594 is installed, and the operating system version is 64-bit Windows Server 2016 update 14393.3025.

The steps and procedures of vulnerability exploitation are as follows:

1. The administrator first needs to customize a BDC model, including a method with a parameter type of Microsoft.BusinessData.Runtime.DynamicType. For a custom BDC model, the program uses a sample database model as a template to massively simplify it:

2. Next, the administrator needs to upload the BDC model through the SharePoint Administration Center | Application Management | Management Service Application | Business data connection service. Of course, this can also be done through PowerShell:

3. The attacker can then call this method and pass the attack Payload through the function arguments:

On the SharePoint server, you will find that two cmd.exe instances and one win32calc.exe instance are generated, both of which run as SharePoint application pools.

If you want to see the code path, you can bind the debugger to the w3wp.exe of the SharePoint application and set a breakpoint on the system.web.dll.

We can view the call stack through System.Web.dllSystem.Web.UI.ObjectStateFormatter.normalialize:

It is important to note that even if you can successfully exploit this vulnerability and implement the attack, you will not be able to gain server-side administrator privileges, but attackers can use this vulnerability to execute their code in the context of the SharePoint application pool and SharePoint server accounts. According to Microsoft, they have fixed this vulnerability in a patch launched in September.

The above is how to perform tasks on Microsoft SharePoint through BDC deserialization. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.