One of the flaws that Microsoft dealt with on the patch of July 2020 on Tuesday in .NET Framework, SharePoint, and Visual Studio could result in remote code execution.

The bug, which is tracked as CVE-2020-1147 and is of critical nature, takes place when the software doesn’t check the source markup of XML file input. This could provide a hacker with the opportunity to run random code in the framework of the procedure where deserialization of XML content happens.

A hacker seeking to abuse the security fault would be required to upload a specially-crafted document to “a server utilizing an affected product to process content,” Microsoft elucidates.

In an advisory, the software behemoth said: “The vulnerability is found in the DataSet and DataTable types which are .NET components used to manage data sets.”

As well as issuing fixes for the flaw, Microsoft also published direction related to it, clarifying what the DataSet and DataTable types of legacy .NET mechanisms signify and what limitations are applied when loading them from XML.

The company also elucidates that, by default, only specific kinds of items may be existing in the deserialized data, and that an exemption is thrown when the arriving XML data comprises object types not on the list, leading to the deserialization operation failing. Nevertheless, apps can extend the allowed types list.

“When loading XML into an existing DataSet or DataTable instance, the existing column definitions are also taken into account. If the table already contains a column definition of a custom type, that type is temporarily added to the allow list for the duration of the XML deserialization operation,” the company explains.

Security specialist Steven Seeley, in a blog post, explained the manner in which the susceptibility can be activated.

“It is highly likely that this gadget chain can be used against several applications built with .net so even if you don’t have a SharePoint Server installed, you are still impacted by this bug,” Seeley notes.

Leave a Reply

Your email address will not be published. Required fields are marked *