CVE-2019-0604

A .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the ZDI Advisory the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.

Per the Microsoft advisory:

Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

A public PoC has been released.

The initial vulnerability is triggered via an HTTP POST request to /_layouts/15/Picker.aspx?PickerDialogType=.

This made CISA’s list of most exploited vulns from 2016-2019—fairly notable since it’s a 2019 vulnerability and had less time to percolate than others. There are newer SharePoint vulnerabilities and exploits out now that may replace this one, but the generalized takeaway is that SharePoint is a highly attractive attack target with a number of public exploits and proofs-of-concept available for known vulns.

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

• Vulnerable Products: Microsoft SharePoint
  
• Associated Malware: China Chopper
  
• Mitigation: Update affected Microsoft products with the latest security patches