Exploit Released for Microsoft SharePoint Server Authentication Bypass Flaw

Cyber Security Threat Summary:
Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction” (Bleeping Computer, 2023).

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft explained in June when it patched the vulnerability. "An attacker who successfully exploited this vulnerability could gain administrator privileges. The attacker needs no privileges nor does the user need to perform any action."

Last week, a STAR Labs researcher (Janggggg) released technical analysis on the vulnerabilities and described at a high level the exploitation process to chain them together. These include the CVE-2023-29357 bug and a second critical flaw identified as CVE-2023–24955, which facilitates remote code execution through command injection. Using the flaws, the researcher was able to achieve remote code execution on Microsoft SharePoint Server using the exploit chain.

Security Officer Comments:
A day after Janggggg’s technical analysis was released, a proof-of-concept exploit was posted on GitHub for CVE-2023-29357. While this exploit does not allow for remote code execution, it could be combined with CVE-2023-24955, the command injection flaw, to achieve RCE. "The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes," the exploit's developer says. "However, to maintain an ethical stance, this script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing."

With the information now available online, we expect a full exploit to be released and/or leveraged in the wild soon.

Suggested Correction(s):
A YARA rule has been made available to help network defenders analyze logs for signs of potential exploitation on their SharePoint servers using the CVE-2023-29357 PoC exploit.

While a full exploit is not yet released, users should apply the latest Microsoft security patches which resolved the vulnerability.

Link(s):
https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
https://www.bleepingcomputer.com/