What is the story behind Microsoft’s patches MS13-067 (SharePoint) and MS13-105 (Outlook Web Access)? What is really involved in a .NET ViewState and why did Microsoft disable the ability to turn off its integrity protection since ASP.NET version 4.5.2 (KB2905247)? What is MS13-100 all about? What was the state of the art of exploiting unprotected ViewState fields before our research? Which new advances did we identify in our research?
This talk is about several stories and discoveries which, once interconnected, triggered an important effort at Microsoft to patch and address some ground issues within the .NET framework and in some of the flagship products of the company. This talk is not just storytelling, but will also present a few demos featuring some of the exploits we crafted at this occasion. Finally, it will include guidance for system administrators, developers and pentesters on how to protect, detect and/or exploit such serialization flaws in their applications.
SPEAKER: Alexandre Herzog