GitHub has become the host for a proof-of-concept exploit code for a severe authentication bypass vulnerability in Microsoft SharePoint Server. Tagged as CVE-2023-29357, this flaw allows attackers, even without authentication, to escalate their privileges. The exploit can be carried out with low complexity and does not necessitate user interaction. Microsoft, which patched the vulnerability in June, explained, 'An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user.' They further added that a successful exploitation could result in the attacker gaining administrative privileges without needing any prior privileges or user action.
Nguyễn Tiến Giang, a researcher from STAR Labs, published a technical analysis on September 25 which detailed the process of exploiting a series of vulnerabilities, including CVE-2023-29357 and another critical flaw, CVE-2023–24955. The latter allows for remote code execution via command injection. Giang was successful in achieving remote code execution on a Microsoft SharePoint Server using this chain of exploits during the Pwn2Own contest in Vancouver in March 2023, earning him a $100,000 reward.
Following the publication of the technical analysis, a proof-of-concept exploit for the CVE-2023-29357 privilege escalation vulnerability appeared on GitHub. The exploit, however, does not provide attackers with remote code execution capabilities, as it does not encompass the entire exploit chain demonstrated at Pwn2Own Vancouver. The author noted that attackers could potentially pair it with the CVE-2023-24955 command injection bug to achieve this aim. The developer of the exploit stated, 'The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes.' They further clarified that the script is intended solely for educational purposes and lawful and authorized testing, and does not contain functionalities to perform remote code execution.
A YARA rule is also available to assist network defenders in examining logs for signs of possible exploitation on their SharePoint servers using the CVE-2023-29357 PoC exploit. Despite the exploit not providing immediate remote code execution capabilities, it is strongly advised to apply the security patches released by Microsoft earlier this year to avoid potential attacks. With the release of technical details for both flaws by Giang, it is anticipated that threat actors or other security researchers will soon reproduce the full exploit chain to achieve complete remote code execution.