Exploit Released for Critical SharePoint Vulnerability, Patch Urgently

Proof-of-concept exploit code has surfaced on GitHub for SharePoint Pre-Auth RCE chain (CVE-2023–29357 & CVE-2023–24955)

Pre-Auth RCE in SharePoint Server
A proof-of-concept exploit has been published online for a critical authentication bypass vulnerability in Microsoft SharePoint. The vulnerability tracked as CVE-2023-29357, was patched by Microsoft in June, but the public release of the exploit code means vulnerable SharePoint servers are now at high risk of compromise.

The vulnerability allows remote attackers to bypass authentication and gain administrator privileges on affected SharePoint servers. Researchers demonstrated the flaw earlier this year at the Pwn2Own hacking competition. Now an exploit written in Python has been published on GitHub, making attacks much easier.

"An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user," Microsoft explained in June when it patched the vulnerability.

The exploit takes advantage of flaws in SharePoint's token-based authentication system to generate forged login tokens. Using these fake tokens, attackers can improperly access SharePoint administrator APIs and take control.

Microsoft has urged SharePoint administrators to immediately apply patches released in June as part of the company's monthly Patch Tuesday updates. The vulnerability impacts SharePoint versions 16.0.0 and earlier.

STAR Labs researcher Nguyễn Tiến Giang (Janggggg) who discovered this vulnerability at the Pwn2Own contest in Vancouver, held in March 2023 shared the technical details describing the exploitation process for a chain of vulnerabilities.

For successful exploitation of the vulnerability, Giang chained two vulnerabilities to achieve pre-auth remote code execution (RCE) on the SharePoint server. These include the CVE-2023-29357 bug and a second critical flaw identified as CVE-2023–24955, which facilitates remote code execution through command injection.

After the release of technical details, a proof-of-concept exploit for the CVE-2023-29357 privilege escalation vulnerability surfaced on GitHub. However, this exploit does not grant attackers remote code execution, as it does not cover the entire exploit chain demonstrated at Pwn2Own Vancouver, the author clarifies that attackers could potentially combine it with the CVE-2023-24955 command injection bug to achieve this objective.

"This script exploits a vulnerability (CVE-2023-29357) in Microsoft SharePoint Server allowing remote attackers to escalate privileges on affected installations of Microsoft SharePoint Server. While this script focuses on elevation of privilege, attackers with malicious intent might chain this vulnerability with a Remote Code Execution (RCE) vulnerability (CVE-2023–24955) to compromise the integrity, availability, and confidentiality of the target system," the exploit's developer says.

Now researchers from Positive Technology have tweeted a video demonstration of the successful exploitation of the bug. They said have reproduced both CVE-2023–29357 and CVE-2023–24955 in Microsoft SharePoint. The chain allows unauthenticated users to execute arbitrary commands on the server.

With attacks likely imminent, SharePoint users should treat patching as an utmost priority. The exploit code is already being used by security researchers to highlight vulnerable systems. Users should also be on high alert for unusual activity that may indicate compromise.

Proactive patching and vigilance are critical to protect against post-exploit attacks. Administrators are advised to review SharePoint logs for signs of unauthorized access. With public exploits now available, no time can be wasted in applying fixes.

Read Also
Post a Comment