A security researcher at StarLabs (Nguyễn Tiến Giang (Jang), found a fresh way to exploit a recently patched (February patch Tuesday) deserialization bug in Microsoft SharePoint and stage remote code execution (RCE) attacks.
Many languages use serialization and deserialization to pass complex objects to servers and between processes. If the deserialization process is insecure, an adversary will be able to exploit it to send malicious objects and run them on the server.
An adversary can exploit the bug by creating a SharePoint List on the server and uploading a malicious gadget chain with the deserialization payload as a PNG attachment. By sending a render request for the uploaded file, the attacker will trigger the bug and execute the payload on the server.
Fortunately, the flaw can only be exploited by authenticated adversaries and when the application is in a configuration that is turned off by default.
Microsoft patched the bug (CVE-2022-29108) in May’s Patch Tuesday release.
Jang found the bug while analyzing CVE-2022-22005. It turned out that there was another way to trigger the same bug. Jang has described the bug as Old Wine in a New Bottle and tweeted a meme based on this theme.
Nguyễn Đình Hoàng (hir0ot), who penned a detailed analysis of CVE-2022-22005, says Both are difficult to implement effectively in the real world, especially when serialization/deserialization happens in the core protocol, framework, or application that was developed so many years ago.