Researchers Release Details of New RCE Exploit Chain for SharePoint

  /     /     /  
Publicated : 23/11/2024   Category : security


Researchers Release Details of New RCE Exploit Chain for SharePoint


One of the already-patched flaws enables elevation of privilege, while the other enables remote code execution.



Researchers who discovered two critical vulnerabilities in Microsoft SharePoint Server have released details of an exploit they developed that chains the two vulnerabilities together to enable remote code execution on affected servers.
Separately, another security researcher this week posted proof-of-concept code on GitHub for one of the SharePoint vulnerabilities that shows how an attacker could exploit the flaw to gain admin privileges on vulnerable systems.
One of the vulnerabilities, tracked as
CVE-2023-29357,
is an elevation of privilege flaw in SharePoint Server 2019 for which Microsoft issued a patch in its
monthly security update for June
. The vulnerability gives an unauthenticated attacker a way to use a spoofed JSON Web Token (JWT) to bypass authentication checks and gain administrator privileges on an affected SharePoint server. The attacker needs no privileges nor is any user interaction required to exploit the flaw.
The other flaw, identified as
CVE-2023-24955,
is a remote code execution (RCE) vulnerability that Microsoft
patched in May
. It allows remote attackers to execute arbitrary code on SharePoint Sever 2019, SharePoint Server 2016, and SharePoint Server Subscription Edition.
Microsoft has described both flaws as being of critical severity and as vulnerabilities that threat actors were more likely to exploit in coming months. NISTs National Vulnerability Database (NVD) has assigned a 9.8 severity rating for CVE-2023-29357 and a 7.3 rating for the RCE flaw. According to the Internet scanning platform Censys, there are currently more than
100,00 Internet-exposed
SharePoint servers that could be affected by the flaws.
Researchers from Singapore-based StarLabs who reported both flaws to Microsoft this week released details of an exploit chain they had developed that allowed them to use the vulnerabilities to gain pre-authentication RCE on affected systems. They first demonstrated the exploit at Pwn2own Vancouver in March.
In a
technical paper
, one of the researchers described how they first spoofed a valid JWT token using the None signing algorithm to impersonate a user with administrative privileges in a SharePoint Server 2019 instance. The None signing algorithm basically means a
JWT token is digitally unsigned
and, therefore, can be modified without detection. The StarLabs researchers then described how they were able to use those privileges to inject arbitrary code via the CVE-2023-24955 vulnerability. Chaining the two bugs together, an unauthenticated attacker is able to achieve remote code execution (RCE) on the target SharePoint server, StarLabs security researcher Nguyễn Tiến Giang said.
Separately, another independent security researcher, Valentin Lobstein, a cybersecurity student at Oteria Cyber School in France, also posted
proof-of-concept code
this week on GitHub that showed how an attacker could gain admin privileges on unpatched SharePoint Server 2019 systems via CVE-2023-29357. Lobsteins exploit focused purely on privilege escalation. But attackers could chain the exploit with CVE-2023-24955 to compromise the confidentiality, integrity, and availability of an affected SharePoint server, he said. The exploit script facilitates the impersonation of authenticated users, allowing attackers to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account, potentially causing a denial of service (DoS), he wrote. It shows how an attacker could access details of admin users with elevated privileges, but not how someone could use it to enable RCE on affected systems.
In comments to Dark Reading, Lobstein says his PoC is different from the one that the researchers from StarLabs described in their technical paper this week. He points to another PoC that researchers from Vietnamese security firm VNPT Information Technology Company released August 31 that also showed how an attacker could use the None algorithm to spoof JWT tokens and elevate privileges.
When [an attacker is] operating under administrative privileges, several critical outcomes are conceivable, Lobstein says. A malicious admin could delete organizational data or corrupt it in multiple ways, they could access and exfiltrate sensitive data, or alter user and group permissions to cause widespread disruptions in SharePoint environments, he says.
Microsoft did not respond immediately to a Dark Reading request for comment. The company has previously recommended that organizations enable the
Anti-Malware Scan Interface (AMSI)
integration feature on SharePoint and use Microsoft Defender as a protective measure against CVE-2023-29357.
For organizations running SharePoint Server, especially version 2019, immediate action is vital, SOCRadar said in a blog. With the exploit now publicly accessible, the likelihood of malicious entities leveraging it has substantially increased.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Release Details of New RCE Exploit Chain for SharePoint