New Exploit Released for Critical Microsoft SharePoint Server Vulnerability

A proof-of-concept (PoC) exploit code has been discovered on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server. This vulnerability, tracked as CVE-2023-29357, allows unauthenticated attackers to gain administrator privileges without requiring user interaction. The exploit is successful in low-complexity attacks.

Microsoft patched this vulnerability in June and explained that an attacker who gains access to spoofed JWT authentication tokens can execute a network attack that bypasses authentication and allows them to gain access to the privileges of an authenticated user. The successful exploitation of this vulnerability can lead to the attacker gaining administrator privileges.

The PoC exploit for the CVE-2023-29357 privilege escalation vulnerability surfaced on GitHub a day after a technical analysis was published by STAR Labs researcher Nguyễn Tiến Giang (Janggggg). Janggggg successfully achieved remote code execution (RCE) on a Microsoft SharePoint Server using this exploit chain during the March 2023 Pwn2Own contest in Vancouver, earning a $100,000 reward.

Success! @testanull of @starlabs_sg was able to execute a 2-bug chain on Microsoft SharePoint. They earn $100,000 and 10 Master of Pwn points. #Pwn2Own #P2OVancouver pic.twitter.com/PxadHs8kKZ

— Zero Day Initiative (@thezdi) March 22, 2023

Although the existing exploit does not grant immediate remote code execution capabilities, the author clarifies that attackers could potentially combine it with a second critical flaw, identified as CVE-2023-24955, which facilitates remote code execution through command injection, to achieve this objective.

The PoC exploit script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes. However, the script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing.

Network defenders can use a YARA rule to analyze logs for signs of potential exploitation on their SharePoint servers using the CVE-2023-29357 PoC exploit.

It is highly recommended to apply the security patches issued by Microsoft earlier this year as a preventive measure against potential attacks, despite the existing exploit not granting immediate remote code execution capabilities. With the release of technical details for both vulnerabilities, it is expected that threat actors or other security researchers may reproduce the full exploit chain to achieve full remote code execution.