Article Details

Exploit released for Microsoft SharePoint Server auth bypass flaw. Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction. "An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft explained in June when it patched the vulnerability. "An attacker who successfully exploited this vulnerability could gain administrator privileges. The attacker needs no privileges nor does the user need to perform any action." On September 25, STAR Labs researcher Nguyễn Tiến Giang (Janggggg) published a technical analysis describing the exploitation process for a chain of vulnerabilities. These include the CVE-2023-29357 bug and a second critical flaw identified as CVE-2023–24955, which facilitates remote code execution through command injection. Janggggg successfully achieved RCE on a Microsoft SharePoint Server using this exploit chain during the March 2023 Pwn2Own contest in Vancouver, earning a $100,000 reward. A day after the technical analysis was made public, a proof-of-concept exploit for the CVE-2023-29357 privilege escalation vulnerability surfaced on GitHub. Although this exploit does not grant attackers remote code execution, as it does not cover the entire exploit chain demonstrated at Pwn2Own Vancouver, the author clarifies that attackers could potentially combine it with the CVE-2023-24955 command injection bug to achieve this objective. "The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes," the exploit's developer says. "However, to maintain an ethical stance, this script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing." A YARA rule is also available to help network defenders analyze logs for signs of potential exploitation on their SharePoint servers using the CVE-2023-29357 PoC exploit. Despite the existing exploit not granting immediate remote code execution capabilities, it is highly recommended to apply the security patches issued by Microsoft earlier this year as a preventive measure against potential attacks. Now that Janggggg has released technical details for both flaws, it is only a matter of time before threat actors or other security researchers reproduce the full exploit chain to achieve full remote code execution.