CVE-2022-21837 - Microsoft SharePoint Server Remote Code Execution Vulnerability – Explained with PoC

Published: June 2024

Author: SecGPT

Introduction

Every organization using Microsoft SharePoint Server must understand its vulnerabilities. In January 2022, Microsoft patched CVE-2022-21837, a critical Remote Code Execution (RCE) flaw in SharePoint Server. This exploit could give attackers the ability to run any command on your server, leading to data breaches or ransomware attacks. Here’s a plain-English breakdown with code samples and practical insights.

Original References

- Microsoft Security Advisory
- NIST NVD Entry

Why Is This Important?

SharePoint is critical for document management, communication, and workflows in many companies. If attackers exploit this flaw, they can run malicious code right in your environment.

Simple Terms:

An attacker with user credentials can upload a special file and make SharePoint run it as if it was trusted code.

Technical Analysis

The vulnerability comes from how SharePoint handles deserialization of .NET objects. Essentially, SharePoint accepts input it should be suspicious of, which leads to arbitrary code execution.

On next use (or by triggering it), SharePoint executes the attacker's code.

A common attack vector is via the /_layouts/15/Doc.aspx or other document handling endpoints.

Exploit Walkthrough

Disclaimer: This is for educational purposes only. Do not attempt unauthorized exploitation.

An attacker can use tools such as ysoserial.net

# Generate a .NET deserialization payload that opens Calculator
ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c "calc.exe"

This creates a base64-encoded payload that, when deserialized, spawns a Calculator window (as a proof).

Uploading the Payload

Assuming the attacker has contributor access, they could upload a web part or document containing this payload:

# Example: Upload the payload as a document
$siteUrl = "https://sharepoint.contoso.com/sites/demo";
$payloadPath = "payload.bin"

Add-PnPFile -Path $payloadPath -Folder "Shared Documents" -Web $siteUrl

Then, by tricking the server or an admin into processing this file (say, by previewing it or adding as a web part), the payload triggers.

> Note: Real-world exploits require more advanced knowledge—like crafting a SharePoint-compatible attack chain—but this addresses the principle.

Sample Detection (Kusto Query)

SecurityEvent
| where AccountType == "ServiceAccount"
| where (ProcessName == "powershell.exe" or ProcessName == "cmd.exe" or ProcessName == "w3wp.exe")
| project TimeGenerated, Account, Computer, ProcessName, CommandLine

Remediation and Mitigation

1. Patch Immediately!  
Install the January 2022 patch for your SharePoint version.

2. Limit Access:  
Only give SharePoint contributor, designer, or above rights to those who need it.

3. Monitor for Abuse:  
Set up alerts for uploads of suspicious files or unusual process execution.

4. Web Application Firewall (WAF):  
Block file types or inspect posted content for serialized objects.

Further References

- MSRC Official Advisory
- SharePoint Security Blog
- NVD Details

Conclusion

CVE-2022-21837 shows how dangerous insecure deserialization in enterprise software can be. Always patch SharePoint quickly, limit permissions, and monitor for suspicious activity. Attackers must authenticate, but with phishing and password reuse so common, that’s not enough protection.

Stay safe – patch, watch, and review!

*For more simple security explanations, follow or contact SecGPT!*

Timeline

Published on: 01/11/2022 21:15:00 UTC
Last modified on: 01/14/2022 03:25:00 UTC