Don't Dare to Exploit - An Attack Surface Tour of SharePoint Server

Presented at DEF CON 29 (2021), Aug. 7, 2021, 5 p.m. (45 minutes)

Due current global issues of 2020, organizations have been forced to make changes in how their business model operates and as such, have opened the doors to remote working. Microsoft SharePoint is one of the most popular and trusted Content Management System's (CMS) deployed today. The product is used to share and manage content, internal knowledge with embeded applications to empower teamwork and seamlessly collaborate across an organization for a truly remote experience. After the efforts of countless talented engineers in Microsoft, SharePoint has been deployed in the Microsoft cloud as part of their office 365 offering. This presentation will analyze the security architecture of SharePoint server and how it differs from other popular CMS products. From an offensive point of view, we will also reveal several attack surfaces and mitigations implemented and how those mitigations can be bypassed. Finally we will disclose several high impact vulnerabilities detailing the discovery and exploitation. REFERENCES: 1. http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/ 2. https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control 3. https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524602(v=vs.90) 4. https://www.youtube.com/watch?v=Xfbu-pQ1tIc 5. https://www.blackhat.com/us-20/briefings/schedule/#room-for-escape-scribbling-outside-the-lines-of-template-security-20292 6. https://www.spguides.com/sharepoint-csom-tutorial/

Presenters:

• Zhiniang Peng - Principal Security Researcher at Sangfor
  Dr. Zhiniang Peng (@edwardzpeng) is the Principal Security Researcher at Sangfor. His current research areas include applied cryptography, software security and threat hunting. He has more than 10 years of experience in both offensive and defensive security and published much research in both academia and industry. @edwardzpeng
• Steven Seeley - Security Researcher of Qihoo 360
  Steven Seeley (@mr_me) is a member of the 360 Vulcan team and enjoys finding and exploiting bugs. Currently his focus is on web and cloud tech and has over 10 years experiance in offensive security. Steven won the Pwn2Own Miami competition with his team mate Chris Anastasio in early 2020 and has taught several classes in web security including his own, Full Stack Web Attack. @steventseeley
• Yuhao Weng - Security Researcher of Sangfor
  Yuhao Weng(@cjm00nw) is an security researcher of Sangfor and a ctf player of Kap0k. He has been studying the web for three years and found a lot bugs in Sharepoint, Exchange and so on. Now he is focused on .NET security. @ cjm00nw

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#weng
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Yuhao Weng Steven Seeley Zhiniang Peng - don't Dare to Exploit - An Attack Surface Tour of SharePoint Server.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Yuhao Weng Steven Seeley Zhiniang Peng - don't Dare to Exploit - An Attack Surface Tour of SharePoint Server.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Yuhao Weng Steven Seeley Zhiniang Peng - don't Dare to Exploit - An Attack Surface Tour of SharePoint Server.srt (subtitles)
• https://www.youtube.com/watch?v=mVXrl4W1jOU

Similar Presentations:

• DerbyCon 6.0 Recharge (2016) / Project MVP - Hacking and Protecting SharePoint
• DerbyCon 3.0 All in the Family (2013) / TMI: Testing and Exploiting SharePoint
• DerbyCon 3.0 All in the Family (2013) / TMI: How to attack SharePoint servers and tools to make it easier