In June 2023, Microsoft released a patch for a critical elevation of privilege vulnerability in SharePoint, identified as CVE-2023-29357. An attacker exploiting this flaw could gain administrator-level privileges without requiring any prior authentication. The vulnerability permits attackers to spoof JWT authentication tokens, enabling them to execute a network attack, bypassing authentication processes, and accessing privileges of an authenticated user. It’s imperative to note that this does not necessitate any interaction from the user.
From Discovery to Exploitation: The SharePoint Pre-Auth RCE Chain
Vulnerability Intelligence page for CVE-2023-29357 in SOCRadar Platform.
A StarLabs researcher, Nguyễn Tiến Giang, unveiled a thorough analysis of a compound exploit chain targeting SharePoint during the Pwn2Own Vancouver 2023 event. The chain involves two key vulnerabilities:
- Authentication Bypass: A sinister attacker can impersonate any SharePoint user by generating valid JWTs and utilizing the ‘none’ signing algorithm. This tactic effectively sidesteps signature validation checks when verifying JWT tokens during OAuth authentication processes.
- Code Injection: SharePoint users possessing ‘Owners’ permissions can inject arbitrary code. Specifically, they can replace the /BusinessDataMetadataCatalog/BDCMetadata.bdcm file, causing the injected code to compile into an assembly executed by SharePoint subsequently.
The primary challenge, however, was leveraging the Authentication Bypass flaw to access only the SharePoint API, then identifying a post-auth RCE chain via this AP
Exploit in the Wild
A public exploit script for the SharePoint vulnerability has recently been released on GitHub. The script is designed to exploit CVE-2023-29357, allowing attackers to elevate privileges on affected SharePoint Server installations. Moreover, malicious actors could chain this with another RCE vulnerability to severely compromise a system’s confidentiality, integrity, and availability.
To offer a broader perspective, the GitHub exploit script facilitates:
- User Impersonation: This lets attackers execute arbitrary code as the SharePoint application, potentially causing a denial of service (DoS).
- Detailed Outputs: The script reveals admin users with elevated privileges and can function in both single and mass exploit modes.
However, it’s crucial to emphasize that the script is designed for educational purposes, legal testing, and ethical use only.
Affected Versions: Is Your SharePoint at Risk?
The vulnerabilities, particularly CVE-2023-29357, directly affect SharePoint Server 2019. The tested version, where the exploit chain was proven successful, was SharePoint 2019 (version 16.0.10396.20000). Additionally, the tests incorporated the March 2023 patches (KB5002358 and KB5002357).
Defensive Measures
For organizations running SharePoint Server, especially version 2019, immediate action is vital. Microsoft recommends installing all security updates related to the software in use. The first patch addressing this vulnerability can be accessed here.
While patching was the primary and most recommended means of protection against this vulnerability, Microsoft had also highlighted some mitigating factors that can be of assistance:
- AMSI Integration and Microsoft Defender: Microsoft reports that customers who have activated the AMSI (Antimalware Scan Interface) integration feature and employ Microsoft Defender across their SharePoint Server farms are safeguarded against this vulnerability. This security layer offers another level of protection. For those interested in implementing AMSI with their SharePoint Server, a step-by-step guide can be found on Microsoft’s official documentation: Configure AMSI integration with SharePoint Server.
With the exploit now publicly accessible, the likelihood of malicious entities leveraging it has substantially increased. Prompt implementation of the recommended patches and mitigations is crucial to curbing potential security infringements and data breaches.
Conclusion: Leveraging SOCRadar Vulnerability Intelligence
Vulnerability Intelligence module of SOCRadar Platform.
In this dynamic digital era, vulnerabilities can emerge from any corner. That’s where platforms like SOCRadar’s Vulnerability Intelligence come into play. With real-time monitoring, analysis, and updates on various vulnerabilities and threats, organizations can stay one step ahead, ensuring the safety and security of their digital infrastructure.
Always remember, awareness combined with timely action can be the best defense against any cyber threat.
The post Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploit (CVE-2023-29357) appeared first on SOCRadar® Cyber Intelligence Inc..
Article Link: Microsoft SharePoint Server Elevation of Privilege Vulnerability Exploit (CVE-2023-29357)