GitHub provides proof-of-concept code for a serious authentication bypass vulnerability in Microsoft SharePoint Server that allows privilege escalation.
Unauthenticated attackers can get administrator rights after exploiting CVE-2023-29357 in low-complexity attacks without user interaction.
[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing
The vulnerability was addressed by Microsoft in June. “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,”
“An attacker who exploited this vulnerability may become an administrator. No privileges or user activity are needed by the attacker.”
On September 25, STAR Labs researcher Nguyễn Tiến Giang (Janggggg) released a technical analysis detailing a vulnerability chain exploitation technique.
The second critical weakness, CVE-2023–24955, allows remote code execution via command injection.
At the March 2023 Pwn2Own contest in Vancouver, Janggggg used this attack chain to gain RCE on a Microsoft SharePoint Server and win $100,000.
A CVE-2023-29357 privilege escalation vulnerability proof-of-concept exploit appeared on GitHub a day after the technical analysis.
This vulnerability does not cover the whole exploit chain exhibited at Pwn2Own Vancouver, but the author suggests combining it with the CVE-2023-24955 command injection problem to accomplish remote code execution.
“The script outputs admin user details with elevated privileges and can operate in single and mass exploit modes,” writes the exploit’s developer.
“To maintain an ethical stance, this script does not contain RCE functionalities and is only for educational and legal testing.”
Network defenders can use a YARA rule to analyze SharePoint server logs for CVE-2023-29357 PoC exploitation.
Despite the exploit not allowing instant remote code execution, Microsoft’s security fixes from earlier this year are suggested to prevent assaults.
Since Janggggg has disclosed technical information for these issues, threat actors or security researchers may soon replicate the whole attack chain to execute remote code.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.