Listen to this Post
The vulnerability CVE-2024-30044 resides in Microsoft SharePoint’s handling of serialized objects during web requests. SharePoint’s underlying .NET framework utilizes `BinaryFormatter` or similar deserialization routines when processing specific SOAP or JSON payloads within the `Microsoft.SharePoint` namespace. An authenticated attacker, possessing at least contributor-level permissions, can craft a malicious serialized payload embedded within a `DataSet` or custom ASP.NET control. When the SharePoint server parses this payload, it does not properly validate the object type before deserialization. This allows the attacker to invoke `System.Runtime.Serialization` methods that execute arbitrary .NET code. The attack vector is network-based (AV:N), requires low privileges (PR:L), and involves no user interaction (UI:N). By exploiting the insecure deserialization, the attacker can bypass the standard SharePoint sandbox, achieving full remote code execution in the context of the SharePoint web application pool (typically w3wp.exe). This leads to complete compromise of the SharePoint farm, including access to sensitive documents, database credentials, and lateral movement within the Active Directory environment.
Platform: Microsoft SharePoint
Version: 2019/SE/Sub
Vulnerability: Insecure Deserialization RCE
Severity: High
date: 2024-06-11
Prediction: Patch released Jun 2024
What Undercode Say:
Analytics indicate that exploitation attempts spike 48 hours post-advisory due to PoC releases.
Check SharePoint version for exposure Get-SPFarm | Select BuildVersion Review IIS logs for suspicious POST requests containing "BinaryFormatter" or "TypeFilterLevel" Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC.log" -Pattern "POST._vti_bin" -Context 2,2 .NET security configuration to block vulnerable serialization Add-WebConfigurationProperty -Filter "system.web/httpRuntime" -Name targetFramework -Value "4.8" -PSPath IIS:\
How Exploit:
Attacker sends a crafted HTTP POST request to `/_vti_bin/client.svc` containing a serialized `ObjectDataProvider` or `ActivitySurrogateSelector` gadget chain. The SharePoint web service deserializes the payload, triggering execution of System.Diagnostics.Process.Start.
Protection from this CVE
Apply official Microsoft patch KB5038800. If patching is delayed, disable the `Microsoft.SharePoint.Client` endpoint via IIS URL Rewrite or restrict `_vti_bin` access to authorized IP ranges. Implement AMSI scanning for SharePoint to block malicious serialized streams.
Impact
Complete farm compromise, data exfiltration of SharePoint databases, privilege escalation to Domain Admin via service account impersonation, and deployment of persistent backdoors on the SharePoint server.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

