Critical SharePoint RCE Vulnerability Exploited Using Malicious XML Payload Within Web Part

A newly disclosed remote code execution (RCE) vulnerability in Microsoft SharePoint has been identified, affecting the deserialization process of WebPart properties. 

The vulnerability enables attackers to execute arbitrary code through carefully crafted XML payloads embedded within SharePoint Web Parts, potentially compromising entire SharePoint environments. 

Key Takeaways
1. Malicious XML in SharePoint WebParts triggers RCE.
2. Unsafe deserialization allows exploitation of the SPThemes DataSet constructor.
3. Crafted payload sent via webpartpages.asmx endpoint.

This critical flaw has been patched but remains a significant concern for organizations running vulnerable SharePoint instances.

SharePoint WebPart Vulnerability

According to the Viettel Security report, the vulnerability originates in the SharePoint WebPart control parsing mechanism, specifically within the Microsoft.SharePoint.WebPartPages.WebPart.AddParsedSubObject() method. 

The attack chain follows a complex deserialization path through multiple SharePoint components, ultimately reaching the vulnerable Microsoft.SharePoint.WebPartPages.Utility.DeserializeStringToObject() function.

The exploitation begins when attackers inject malicious content into WebPart controls using the following structure:

When SharePoint processes this input, the AddParsedSubObject() method extracts the LiteralControl text and passes it to ParseXml() for deserialization. 

This process involves the XmlSerializer and subsequently triggers the DoPostDeserializationTasks() method, creating the pathway for malicious code execution.

The core vulnerability lies in the GetAttachedProperties() method, where SharePoint deserializes the _serializedAttachedPropertiesShared field using the SPSerializationBinder. 

This component allows binary deserialization of any class within SharePoint’s SafeControls, creating a significant security gap.

The critical code section demonstrates the vulnerability:

Attackers can exploit this by targeting the Microsoft.SharePoint.ApplicationPages.SPThemes class, which implements DataSet and utilizes unsafe serialization constructors. 

The exploitation involves crafting a malicious payload using the AttachedPropertiesShared element within the WebPart XML structure.

Mitigations

The vulnerability affects SharePoint version 15.0.5145.1000 and may also affect other versions. Successful exploitation grants attackers remote code execution capabilities within the SharePoint application context, potentially leading to complete system compromise. 

The attack vector utilizes SharePoint’s built-in web services, specifically the /_vti_bin/webpartpages.asmx endpoint with the ConvertWebPartFormat method.

Organizations should immediately apply the latest SharePoint security updates and implement strict input validation for WebPart content. 

Additionally, network segmentation and monitoring of SharePoint web service endpoints can help detect potential exploitation attempts.

The vulnerability highlights the critical importance of secure deserialization practices in enterprise applications and the need for comprehensive security reviews of complex application frameworks like SharePoint.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now