DEF CON 29 - Yuhao Weng, Steven Seeley, Zhiniang Peng - An Attack Surface Tour of SharePoint Server

00:21 - Welcome to our presentation. Don’t Dare to Exploit An Attack Surface Tour of SharePoint Server.

00:27 - It is presented by myself, Yuhao Weng of Sangfor, Steven Seeley of Qihoo 360, and Zhiniang Peng of Sangfor.

00:36 - Let me introduce ourselves at first. Yuhao Weng who is a web security researcher of Sangfor and also a CTF player of Team Kap0k.

00:46 - Steven Seeley is a Security Researcher of Qihoo 360, and he is a very good trainer.

00:54 - Zhiniang Peng is the Principle Security Researcher of Sangfor. Let’s begin.

01:00 - The agenda we will be talk about is introduction to SharePoint Server, Exploiting Server-side, Exploiting Client-side and examples, and a conclusion.

01:12 - SharePoint Server really doesn’t need an introduction.

01:16 - It’s a part Of Office 365 products. It is one of the most popular, trusted Content Management Systems that we have today.

01:26 - It has online version hosted by Microsoft Azure and open version which we can deploy ourselves.

01:34 - It doesn’t need too much professional knowledge and skill to deploy but actually, in my opinion, it should have a more higher learning curve than other Content Management Systems.

01:46 - You always need to spend some time to get similar with it but many schools and institutions like it, in fact.

01:54 - This is a example of what SharePoint server will look like in 2019.

01:59 - This is a default communication site. It look very up-to-date and very professional.

02:06 - But hiding behind all of that is a lot of issues that don’t necessarily have buttons or earlier tools.

02:13 - We’re going to exploit a lot of that in this present day.

02:18 - With a introduction to SharePoint Server, we can talk about the structure, the key difference, design weakness and AddAndCustomizePages default danger.

02:31 - With the SharePoint structures is site admin who can manage the different sites and they can access the admin panel, which has global communities settings that can impart multiple sites.

02:44 - Or you can deploy a new web parts those of features.

02:48 - So is really a powerful position. To be honest, we have not fully explore the admin panel, but I do believe, there is the ability to upload regular files on the server and secure the code, anyway.

03:04 - Then this is known as the site owner, and this is the regular permissions that given by most users.

03:12 - So if a new user is created they have site owner permissions because they can create their own site.

03:20 - If they are just site viewer, they cannot do anything other than just viewing the page.

03:26 - They can change any settings and waste my site so seen as we lack of my space or something.

03:33 - They can create their own page and they can look on there and do what they like but they cannot use their site to set other sites.

03:41 - There are other securities involved. The key difference of SharePoint and some popular open source competitor would be this.

03:49 - As I said it before, this ability to create a site.

03:53 - In the SharePoint eyes site is a new structure.

03:57 - It has a new physical folder on the file system.

03:59 - Then are new virtual directory is created and point to that folder on file system.

04:05 - Is logged on different path is different application messed up site will not create a new folder just a virtual one and they can upload page in their site as well as our security file.

04:18 - Those other script cannot access other site content, which is why Microsoft demo is safe to be able to upload server script code, on your site, because it means that our script, we cannot access content on another site of other admin site.

04:34 - where lots of other dangerous things can be done.

04:38 - Users can upload a custom page like a conversation, and there are several different authentication measures like NTLM, Form Based Authentication, and so on.

04:49 - It design weakness of SharePoint is the ability to use an arbitrary file with vulnerability that can be leveraged to achieved remote code execution, because it’s possible to load the web. config file, which can contain the validation key or ViewState deserialization, which can be used to generate a particular ViewState, executes and eventually command again the application.

05:18 - I know some other researcher have talked about this before, and this is something that I told them as a default site of SharePoint.

05:27 - I’m not exactly sure why they have decide that is generate use a randomized config key in the webconfig file.

05:35 - Because it’s possible to generate config key without using phase one.

05:40 - Like the past of CVE-2020-0688. But I’m not sure exactly why SharePoint doesn’t use that particular feature.

05:49 - I believe that there are some shared code in SharePoint that require the validation key to be started in the webconfig file. I not very sure.

06:00 - But regardless if a file disclosure vulnerability is file in SharePoint, it means that you have an arbitrary command execution.

06:10 - The AddAndCustomizePages default danger. Other permission rather is allowing user with this privilege of site owner rather to upload page on that site.

06:22 - So this also work on server online (indistinct), but it should be enabled by other admin in SharePoint Online.

06:31 - It gets dangerous because users can upload also aspx page which can contain client-side script along with a server-side asp. net controls.

06:43 - Those are known as site pages. The control are filtered by an allow lists that is a defined in the web. config.

06:51 - So you can just upload what type of control you want.

06:55 - And those controls will be the deserialized using xaml.

07:00 - That several evil payloads used in the past with XamlReader. Load.

07:06 - But those payloads don’t work here. We can adjust deserialized what type of payload we want and get the code execution in that way.

07:15 - Users can also not upload inline asp. net script.

07:20 - It will not work because compilation is never, you cannot run a compiler code on the server.

07:26 - Additionally, the asp. net server-side include are also blocked.

07:32 - However, a combination of the allowed server-side controls in Java script can be quite problematic.

07:40 - And we will talk about several vulnerabilities that are raised by this.

07:47 - Looking at the table site page, which are created by users.

07:51 - The content of those pages are stored in a database.

07:55 - They are not compiled and they are untrusted.

07:58 - And so application page is opposite. They are created by system or installation.

08:06 - They are only file systems. They are compiled and they are trusted.

08:11 - Those files will get compiled and secured when accessed.

08:15 - Now for the server side. We’re going to briefly discuss the attack service.

08:22 - So using things like a Bypass SPPageParseFilter Check, Server Side Request Forgery, XML Parsing will give you some exploitation examples.

08:37 - Bypass SPPageParseFilter Check. SPPageParseFilter overrided the page parse filter.

08:45 - It doesn’t check files in file system enter directory directly, but check files in database if they then only save controls and without server side included, In addition, this page is copied from Look for Escape.

09:02 - We want to know what a safe control is actually make out of.

09:06 - The load class is System. Web. UI. Control class.

09:11 - And so every ASP. net control is taken from it.

09:16 - And to work out what classes can be used for XAML deserialization the controls that are marked as safe in web. config file.

09:27 - So here is an example, that’s two different the controls.

09:30 - The first one is actually a namespace, System. Web. UI namespace.

09:37 - And all type under that namespace are safe.

09:40 - Then you have another that has the System. Web. UI. WebControls namespace.

09:47 - A particular type, SQLDataSource, that is marked as false, it is safe.

09:54 - By the way, if it is inside safe control tag and don’t special save, it is safe.

10:03 - Let’s think if a control extends from unsafe control.

10:07 - Is it safe? Yes, actually. Examples.

10:12 - If we look into the web. config file and we see the SqlDataSource it is defined as an unsafe control.

10:21 - But as it turned out, that is a particular class called SPSqlDataSource that is taken from SqlDataSource.

10:31 - This particular control is not found from web. config It was possible to reach a SqlConnection. Open sink.

10:41 - Attacker can control the connection string properties, and it can be used to attack the client drivers on the server itself.

10:51 - We saw this earlier research is interesting because not many people sat it down and look at into attacking Sql drivers on client’s side.

11:03 - But overall mySQL driver is intuitive. If you can connect to a malicious, mySQL server, then the local server can send back a request for a local file.

11:15 - This has been public knowledge that since April 2nd, 2018.

11:21 - I do know that this is by design the features of mySQL.

11:25 - If you control the connection stream in most application, the connection string is not controlled.

11:33 - But not SharePoint. Here is an example of a payload.

11:37 - You can see here that the connection string driver equals mySQL, then the server to the attack servers, port, and database, name, username and password.

11:51 - But when you, basically here, you can see a SelectCommand select * from users.

11:57 - We need a SelectCommand to be able to trigger the communication, or it can communicate with the server.

12:04 - And then on the server side, we will ask for the particular file, you know, web. config.

12:12 - We have a proof of concern video here. Note that it need a mySQL driver in the time keeper servers.

12:21 - (silence) And the SPSqlDataSource file disclosure bug had a patch bypass.

13:31 - It was interesting because this particular bypass was a time of check time of use in the way that they check the connection string.

13:41 - To be honest, we never tested this patch bypass we just reviewed the patch quickly and seeing it was vulnerable.

13:50 - They added a check of the connection string.

13:53 - And this was the method called CheckConnectionString.

13:58 - It will get the ConnectionString and call IsAllowedOdbcDriver.

14:03 - Let’s check it. The first string it look out is a dsn in the ConnectionStrings.

14:10 - Then you will look out the dsn and find the particular driver, out of the dsn.

14:16 - And if that equal to SQL server driver, that’s the trustee SQL server then it will be allowed.

14:24 - But if you look at the implementation of the SqlConnection. Open it look for either, dsn or driver property, whichever is set first it used.

14:37 - We can exploit this for TOCTOU used by providing a dsn property after the driver.

14:45 - The Impact, again, is RCE. But we need to know the other existing dsn only target systems that use SQL servers.

14:56 - At the time we didn’t spend too much time on these particular vulnerabilities.

15:01 - But we’re saying there is a way to leave the dsn.

15:04 - Here is our port. You can see that way using PowerShell command line.

15:10 - Add-OdbcDsn which will create dsl on the systems using SQL servers.

15:17 - When the Add-OdbcDsn here contain equal POC as long as the dsl is in here, then it will be traded as trustee.

15:29 - But then when the SQL connection is made is set, the driver property first and then set it, You see mySQL? Use mySQL driver.

15:40 - Then what other properties? And then it ignored the dsl because there is no a particular property for that particular drivers is a SQL server.

15:52 - And the driver, server, port, database and then trigger it again.

15:58 - So we can continue to reveal the web. config file and get remote code executions.

16:06 - Then look at the next example, CVE-2021-28450.

16:12 - It is an RE DOS file and count for another unsafe control.

16:18 - We find this control and then RegularExpressionValidator.

16:22 - It look like a link tool as validation. That is unsigned class InputFormRegularExpressionValidator is taken from it, which is safe.

16:35 - Okay, let’s check this normal example. As we see, we can control the validation expression and validationvalue.

16:45 - Anything else? When we look at the code and we found out that we can control the time out too.

16:50 - So in this case, we can specify the expressions and the input, as well as the match time out for the expressions to be calculate.

17:04 - What will happen if we insert a malicious expressions? Think about this expression and our input is 128*a+!.

17:18 - It will run very, very slowed because the first part of this expression will be executed repeatedly.

17:25 - It will keep measuring, it will keep measuring until run out of time.

17:32 - Here is the chart about how many steps will be executed.

17:36 - When the number of a is ingest, we can see that when we input 20a, it will learn more than 100,000 steps to try to match.

17:47 - And we will attack it with 128a. And we will, we can set a large count timeout value so the script don’t get close quickly.

18:01 - So we tested against SharePoint online and make it died after sending 50 requests.

18:08 - You don’t need to send requests at the same time.

18:11 - So I send it slowly and see whether it dies out.

18:14 - And you will restart after some minutes, maybe 20 minutes more or less.

18:23 - Then go to the next example that we will talk about.

18:27 - We found the two types that were blocked in web. config file.

18:32 - This was about creating users where they changed password.

18:37 - And in this time we cannot find any class is taken from them.

18:43 - Let us find it ourselves. Why are those controls blocked? Why those particular controls? After doing a bit of research and investigation, we found that those people controls categories of a file methods in the lower controlled class.

19:02 - They changed password and create and create user wizard.

19:06 - It taken from web controls, which has open file methods, Of course, there was an additional control the password recovery, which was not block any web. config.

19:20 - We could use password recovery control to email ourselves, our own password, coupled with a file of our choice.

19:30 - We’re seeing is designed to see that email template file.

19:34 - So email address were assigned to the account using the phone based authentication, which was the default authentication for SharePoint online.

19:46 - They will allow yours to email ourself with the web. config file and get us here again.

19:53 - But the attacker also need to link the membership provider and we can follow it by the session cookie and outgoing SMTP server needed to be configured on the target system as well, so that we can receive email of web. config file.

20:14 - This is what the payload look like. All we have to do is specify the body file name, and that equals a particular part to web. config.

20:26 - We load a proof of consent for that one and put here.

20:32 - Email results here. We can receive machine key in our mailbox.

20:37 - Here we use both to capture it. Then let’s (indistinct) control, and we will talk a little bit about server-side include.

20:47 - Server-side include are directives that place in html page and evaluated on these server while the page are being served.

20:58 - Asp. net is convenient to include web. config to steal your machine key.

21:06 - But it is blocked by default on most case, at least.

21:10 - When you were to make asp as page only server, it will try to do it included for web. config.

21:18 - It is not allowed because asp page filter, is enabled by default and you block the encoder SSI site page and doesn’t allow it.

21:29 - But as it turned out, there was a way to bypass that over this.

21:34 - Let’s see this example. Here is a famous method parser control, which was introduced in Look For Escape presentation, and it was in many environments where the SharePoint.

21:48 - It will parse strings to control the class.

21:52 - And it has the ability to bypass the SPPageParserFilter.

21:57 - If for the second parameter to the past control is true, to SPPageParserFilter will be ignored.

22:05 - In that way we could get an inquiry going. So we want to find a method in which we’ll call the parser control with a generic value.

22:16 - The data form will be part of controlling. It has a particular measure called CreateChildControls.

22:23 - It is called when the other control exists on that particular control.

22:28 - And inside this function, you call ParseControl.

22:31 - It is a good target if we can met the flag too, and the flag generated from, verify SPD control markup.

22:42 - We have to satisfy to some validation to lose this call in a dangerous way.

22:48 - It has to be valid. Okay, first of all, it need to be valid xml so we can, so we cannot register with this because it is not a valuable xml format.

23:03 - We also need to have runat=server, or it will be seen as client script and want to pass the verify control.

23:13 - It also need to be a safe controlled. It can contain things like objected the shows controlled, which is a famous gathered.

23:23 - We create a panel that with use server-side inquiry instead, as you can see.

23:28 - It use (indistinct) Don’t need to use any unsafe control or objectdatasource.

23:36 - And then we equaled the web. config file of that particular site.

23:42 - And that it will leak the validation key and give us remote code execution back.

23:50 - We’ve got a video demonstration here. (silence) Let’s continue this presentation.

24:51 - Next, we will discuss another type of attack.

24:55 - Server-side request forgery. Let’s look at the vulnerable code example.

25:01 - This server will retrieve the url we control.

25:04 - And park the url into a request object. Send the request and return the response.

25:13 - We can set the url to arbitrary address like web evaluator, localhost, fileserver or other interesting http servers.

25:23 - We found many SSI vulnerabilities in SharePoint and will be discussed later.

25:32 - We found a very simple function CallOLS. If passed the parameter URL of the mentioned SafeCreate to get a request option.

25:45 - And return the result of the request. It look very similar to the vulnerability example mentioned earlier.

25:54 - Here, it can be considered as a wrapper of WebRequest. Create.

26:00 - If we can control this parameters here is a classical SSI vulnerability.

26:07 - At first we need to try whether we can access this method.

26:13 - Through the research of official documentation online we found out that when method is marked as ClientCallableMethod it means that we can call you with an ftp request.

26:26 - The general format is /SP/NameSpace. ClientCallableType. ClientCallableMethod.

26:37 - So the path here should be /SP. HashtagStoreManager. CallOLS.

26:48 - Note that here is SP not SharePoint. As mentioned in there.

26:54 - And we can control all the parameters of the ClientCallableMethod function.

27:01 - So it’s very simple to write a proof of concern.

27:05 - Just add the url pattern for it. Then when it follows the server to our address and return the result of url request.

27:16 - Actually, there are more things about the server-side request forgery.

27:21 - But for some reason we cannot talk in this time.

27:25 - So the next thing we will talk is XML Parsing.

27:30 - Xml is a very popular markup language. First vendor in the late 1990s and adopted by countless software projects.

27:44 - It is used for configuration files, document format, image format, and the network protocol.

27:53 - And it is so popular that any problem about it will bring catastrophic result.

28:01 - In the process of parsing external entity the xml parser can query various network protocols, and survive like a dos, ftp, http, smb, and so on.

28:17 - According to this protocol specified in the EUIO external entities are very useful for creating generic levelers in documentations.

28:29 - So that any change admitted to the levelers results are automatically update in the document.

28:37 - According to official documents for lower versions of the. NET network.

28:45 - When reading xml test container external entities will be automatically parsed.

28:54 - However, when dealing with the external entities many attack can be launched against the application.

29:02 - Those attacks include the disclosure of local system files.

29:06 - Which may contain sensitive data such as password, and private user data or the use of network SSL certificates various programs to manipulate internet applications by combining those attacks with other malicious code.

29:29 - The scope of this attack can be extended to server interruption and even eventually code execution, depending on the content of those attacks.

29:40 - We call these attack types xml external entity attack.

29:48 - We also share a simple vulnerability code example.

29:52 - The code snippet show the classical xmldocument. load xml method.

30:00 - It will receive an xml container parsing to xml document object The dtt definition will be executed when parsing.

30:14 - There are also many ways to pase xml. Like XPathDocument, DataSet. LoadXML, and so on.

30:25 - In order to decode the problem caused by SSE.

30:29 - Microsoft recommends that users use XML evaluator to evaluate xml test before loading.

30:38 - And prohibit the parsing of external entity.

30:43 - Or upgrade to higher version of. NET framework which will not parse external entity by default.

30:53 - But we will check SharePoint will follow that.

30:57 - The. NET version of SharePoint that is 4. 0 in SharePoint 2019.

31:05 - Which means that we were likely to find SSE vulnerability in it.

31:10 - Here is our finding of SSE. This regional vulnerability patterns can often bring destabalized. We found unmentioned GetPluginContent which will call xmlDocument. Loadxml.

31:30 - Like our examples it will read the container in the public in file and parse it as xml container.

31:40 - Okay, let’s take a quick look at the call state, which appears to be accessible.

31:47 - We need to analyze the method. First, it will traverse all files in /_catalogs/wp directory.

31:58 - We need to create a file. The files here includes all files in database and file system because it is SPFile which is another of the file object by SharedPoint.

32:11 - Then looking for the file that the send filename as the parameter we set.

32:17 - Then its content is passed into Loadxml. Including the visual file in the database is good news.

32:27 - Users now have permissions to upload such files on their website.

32:33 - If it can only load the files in the file systems we will not be able to do anything.

32:40 - So therefore the first step in exploiting the vulnerability is to upload a xxe file. We are sure it is xxe. webpart which contain xxe payload.

32:54 - Note that the file need to end with a. webpart.

33:00 - But how to make the server load this file? Let’s go back to the call state and take a closer look at the function in the live post.

33:10 - We notice that he has a special attribute ClientCallable.

33:16 - What does it contain here? It is similar to ClientCallableMethod that we mentioned earlier but it is not the same.

33:25 - It means that we can call it using client-side SharePoint Object Model API.

33:33 - CSOM stand for SharePoint client object model and is used to insert, update, delete, and retrieve data in SharePoint.

33:44 - Microsoft provided various client object model like Javascript models, SharePoint REST API, SharePoint. NET client object model.

33:56 - Then we will not use the last one, SharePoint. NET client object model.

34:02 - When we use debug tools to debug it we found that every ClientCallable function has a paired remote function.

34:11 - The calling process starts from the client code passes so that the remote method of the same name.

34:19 - And then send the data to the server so xml format.

34:23 - The server parser the xml and find the policy method of the corresponding method invoke state method.

34:34 - And finally fall to the ClientCallable method to complete the method called.

34:41 - Now, we can start writing the second part of the exploiting.

34:45 - (indistinct) relayed there of CSOM. And we need to pass this server url and the user’s credential to gain a client contents.

34:57 - Then use the contents to load the plugin file that we created before.

35:01 - And here, we set it to xxe. Finally, we should call ExecuteQuery to package all the data and send the request.

35:11 - Which can trigger GetPlugin method as we want it.

35:15 - After testing this vulnerability that can also work on SharePoint Online.

35:20 - An example of loading window in SharePoint Online and our demo of proof of concern is here.

35:29 - (silence) But if you notice that we called it as xxe instead of remote call execution.

36:39 - Because it is only 01%& remote call execution.

36:45 - We found that that & character in the web. cofig.

36:50 - According to the same task of the external entity.

36:55 - It will be considered as an entity definition but there is no specific name defined later.

37:02 - This will cause parsing error and able to load content of web. config normally.

37:09 - If someone can bypass this shortcoming for invalid remote code execution exploitation, please share your tips with us.

37:19 - Anyway, it is a real interesting because it appeared in SharePoint client code.

37:28 - Then we have discussed the security issue of the server side.

37:33 - They are often very powerful and don’t need any user intervention.

37:38 - Next, we will assure that we have a user intervention.

37:42 - A victim will open the url he send in his java server.

37:47 - How to achieve an account takeover attack? Server has a variety of user authentication methods, including NTLM, fba, Oauth and so on.

38:02 - So, let’s check the fba. Form-based authentication.

38:08 - Here is the login form and fba is a form-based identity authentication.

38:15 - Httd authentication is passed to SharePoint server will set a cookie for users, rtFa & FedAuth.

38:24 - If we obtain the cookie of other users we can forge user identities.

38:30 - But the cookies have activity only specs so we can’t use java script to call it to steal it directly.

38:39 - And users with the same cookies can access both admin panel and site collection if they have enough privilege.

38:48 - However, as we talked before we don’t just own the javascript.

38:54 - We will introduce a vulnerability that steal cookies stored parameter validly.

39:01 - For this vulnerability we need to show the problem first.

39:05 - The addition to the request header. Where does that cookie exist? Can we get it? In Microsoft documentation a special value is recorded.

39:17 - IIS server variables provide information about the server, the connection with the client, and the current request on the connection.

39:29 - IIS server variables are not the same as environment variables.

39:36 - Here is the value that we need, http cookie.

39:39 - With any cookie string that was encoded with the request.

39:44 - Okay, we find another page to get cookie but it is a server values.

39:51 - We need to put it embed with the page. When reading some sever-side codes we noticed that there is a special syntax called ParameterBinding, a resource can be bound to parameter value in the current vendor xsl style sheet.

40:10 - The ParameterBinding element encoded are location attribute that specify resource time.

40:19 - The same task for this element is similar to the SPResourceBinding expression syntax.

40:27 - The location value is expressed as a function.

40:30 - We can use the location attribute to specify the values for server-side query strings, server values, webpart properties, control ids and so on.

40:44 - So, we can look at this process. When we send a request to the poc page the server will stop our cookie in http_cookie slow ParameterBinding and bind it into DataFormWebPart value.

41:05 - And finally display it in page. So here is the proof of consent.

41:12 - We render the cookie back to the xsl value.

41:17 - Therefore, we have the ability to bring the cookies to the client-side page.

41:23 - Then we can we can read the page script without restrictions.

41:29 - Use XMLHttpRequest to fetch the value of cookie and send it to our servers.

41:37 - And then check the servers request. You can see that all the cookies are sent contains rtFA and FedAuth that you can use to access the site of victims.

41:51 - So here is our conclusion of today’s presentation.

41:55 - The about all the vulnerabilities disclosure in our sharing.

42:01 - From the server to the client we have studied many interesting traits of SharePoint and most of the vulnerabilities are based on the permission we have to upload page.

42:13 - We’ve been able to find many vulnerabilities in SharePoint because of these virtual (indistinct) When you give users more permission, your system is more dangerous.

42:25 - User created content that can interact with server-side controls has the potential to cause some trusted violence.

42:35 - It is hard to build a strong enough filter to protect this instance.

42:41 - And multiple API give users different access methods and give an attacker a large attack surface for discovery tool.

42:52 - So, this is the end of our presentation. Thank you for listening.

42:58 - Feel free to ask any questions. .