Details of an exploit chain that combines two critical vulnerabilities in Microsoft SharePoint Server have been disclosed by researchers. This exploit chain allows for remote code execution (RCE) on affected servers. Additionally, a proof-of-concept code demonstrating how one of the vulnerabilities could be exploited to gain admin privileges was posted on GitHub by an independent researcher.
The two vulnerabilities, labeled as CVE-2023-29357 and CVE-2023-24955, were discovered in SharePoint Server 2019. The former is an elevation of privilege flaw that allows an unauthenticated attacker to use a spoofed JSON Web Token (JWT) to bypass authentication checks and gain administrator privileges on an affected SharePoint server. The latter vulnerability is a remote code execution flaw that allows remote attackers to execute arbitrary code on SharePoint Server 2019, SharePoint Server 2016, and SharePoint Server Subscription Edition.
Microsoft has categorized both flaws as critical and believes they will likely be exploited by threat actors in the near future. The National Vulnerability Database (NVD) has assigned a 9.8 severity rating for CVE-2023-29357 and a 7.3 rating for the RCE flaw. Internet scanning platform Censys has identified over 100,00 Internet-exposed SharePoint servers that could potentially be impacted by these vulnerabilities.
The vulnerabilities were reported to Microsoft by researchers from Singapore-based StarLabs. The researchers have also released details of an exploit chain they developed that allowed them to use the vulnerabilities to gain pre-authentication RCE on affected systems. The exploit was first demonstrated at Pwn2own Vancouver in March.
In a technical paper, a researcher from StarLabs explained how they first spoofed a valid JWT token using the 'None' signing algorithm to impersonate a user with administrative privileges in a SharePoint Server 2019 instance. The 'None' signing algorithm means a JWT token is digitally unsigned and can be modified without detection. The researchers then described how they were able to use these privileges to inject arbitrary code via the CVE-2023-24955 vulnerability.
Separately, independent security researcher Valentin Lobstein posted a proof-of-concept code on GitHub showing how an attacker could gain admin privileges on unpatched SharePoint Server 2019 systems via CVE-2023-29357. His exploit focused purely on privilege escalation, but he noted that attackers could chain the exploit with CVE-2023-24955 to compromise the confidentiality, integrity, and availability of an affected SharePoint server.
Microsoft has recommended that organizations enable the Anti-Malware Scan Interface (AMSI) integration feature on SharePoint and use Microsoft Defender as a protective measure against CVE-2023-29357. SOCRadar stressed the importance of immediate action, especially for organizations running SharePoint Server 2019, as the likelihood of malicious entities leveraging the exploit has substantially increased now that it is publicly accessible.