DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2020-1147: The DataSet Trap: How Microsoft's XML Trust Issues Led to Remote Code Execution

#security #cve #cybersecurity

The DataSet Trap: How Microsoft's XML Trust Issues Led to Remote Code Execution

Vulnerability ID: CVE-2020-1147
CVSS Score: 7.8
Published: 2020-07-14

A critical Remote Code Execution (RCE) vulnerability in the .NET Framework, SharePoint, and Visual Studio caused by unsafe handling of XML input in the DataSet and DataTable classes. By exploiting the ReadXml method, attackers can define arbitrary types via an inline schema, forcing the application to deserialize malicious gadgets that execute code in the context of the host process.

TL;DR

The .NET DataSet class trusts inline XML schemas too much. Attackers can tell it to load a XamlReader disguised as a database column, leading to immediate RCE. This affects SharePoint, Visual Studio, and any .NET app using ReadXml on untrusted input.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-502 (Deserialization of Untrusted Data)
  • CVSS v3.1: 7.8 (High)
  • Attack Vector: Network
  • EPSS Score: 0.9343 (93.43%)
  • Exploit Status: Active / Weaponized
  • Key Gadget: ExpandedWrapper + XamlReader

Affected Systems

  • Microsoft SharePoint Server 2010/2013/2016/2019
  • .NET Framework (2.0 - 4.8)
  • .NET Core (2.1, 3.1)
  • Visual Studio 2017/2019
  • .NET Framework: 2.0 - 4.8 (Fixed in: July 2020 Security Rollup)
  • SharePoint Server 2019: < July 2020 Update (Fixed in: July 2020 PU)

Exploit Details

  • ysoserial.net: The 'DataSet' gadget in ysoserial.net generates the exact XML payload required for this exploit.
  • GitHub: Various PoC scripts for SharePoint RCE often leverage this underlying DataSet vulnerability.

Mitigation Strategies

  • Restrict XML Input sources
  • Implement Type Allowlisting
  • Disable Inline Schema Processing

Remediation Steps:

  1. Apply the Microsoft security update for your specific .NET Framework version immediately.
  2. Audit codebases for usage of DataSet.ReadXml or DataTable.ReadXml.
  3. Where ReadXml is necessary, explicitly set XmlReadMode to IgnoreSchema if the schema is not required, or strictly validate the input XML against a known safe schema XSD before deserialization.
  4. Monitor logs for System.InvalidOperationException related to deserialization, which may indicate failed exploit attempts.

References

Read the full report for CVE-2020-1147 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)