The Information Highway

The Information Highway

Font size: +
2 minutes reading time (399 words)

Exploit released for Microsoft SharePoint Server auth bypass flaw

Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. 

Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft explained in June when it patched the vulnerability. 

"An attacker who successfully exploited this vulnerability could gain administrator privileges. The attacker needs no privileges nor does the user need to perform any action."

On September 25, STAR Labs researcher Nguyễn Tiến Giang (Janggggg) published a technical analysis describing the exploitation process for a chain of vulnerabilities.

These include the CVE-2023-29357 bug and a second critical flaw identified as CVE-2023–24955, which facilitates remote code execution through command injection.

Janggggg successfully achieved RCE on a Microsoft SharePoint Server using this exploit chain during the March 2023 Pwn2Own contest in Vancouver, earning a $100,000 reward.

A day after the technical analysis was made public, a proof-of-concept exploit for the CVE-2023-29357 privilege escalation vulnerability surfaced on GitHub.

Although this exploit does not grant attackers remote code execution, as it does not cover the entire exploit chain demonstrated at Pwn2Own Vancouver, the author clarifies that attackers could potentially combine it with the CVE-2023-24955 command injection bug to achieve this objective.

"The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes," the exploit's developer says.

"However, to maintain an ethical stance, this script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing." 

A YARA rule is also available to help network defenders analyze logs for signs of potential exploitation on their SharePoint servers using the CVE-2023-29357 PoC exploit.

Despite the existing exploit not granting immediate remote code execution capabilities, it is highly recommended to apply the security patches issued by Microsoft earlier this year as a preventive measure against potential attacks.

Now that Janggggg has released technical details for both flaws, it is only a matter of time before threat actors or other security researchers reproduce the full exploit chain to achieve full remote code execution.

Microsoft fixes Outlook prompts to reopen closed w...
Microsoft breach led to theft of 60,000 US State D...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023