Researchers have recently disclosed the details of a serious exploit that combines two critical vulnerabilities in Microsoft SharePoint Server. This exploit allows remote code execution on affected servers, posing a significant risk to organizations using this software. Additionally, a separate security researcher has shared proof-of-concept code on GitHub that demonstrates how one of the SharePoint vulnerabilities can be exploited to gain administrative privileges on vulnerable systems.
The first vulnerability, known as CVE-2023-29357, is an elevation of privilege flaw in SharePoint Server 2019. Microsoft addressed this vulnerability in its June monthly security update. It enables unauthorized attackers to bypass authentication checks and gain admin privileges on an affected SharePoint server by using a spoofed JSON Web Token (JWT). The flaw does not require any privileges or user interaction to exploit.
The second vulnerability, identified as CVE-2023-24955, is a remote code execution (RCE) flaw that Microsoft patched in May. It allows remote attackers to execute arbitrary code on SharePoint Sever 2019, SharePoint Server 2016, and SharePoint Server Subscription Edition.
Both vulnerabilities are classified as critical and are expected to be exploited by threat actors in the near future. The National Vulnerability Database (NVD) has assigned a severity rating of 9.8 out of 10 for CVE-2023-29357 and 7.3 for the RCE flaw. According to the Internet scanning platform Censys, there are currently over 100,000 Internet-exposed SharePoint servers that could be affected by these vulnerabilities.
Researchers from StarLabs, based in Singapore, reported both flaws to Microsoft and have now released details of an exploit chain they developed. This exploit chain allows them to achieve pre-authentication RCE on vulnerable systems. They first demonstrated this exploit at Pwn2Own Vancouver in March. In a technical paper, one of the researchers explained how they spoofed a valid JWT token using the “None” signing algorithm, which allows them to impersonate a user with administrative privileges in a SharePoint Server 2019 instance. They then leveraged these privileges to inject arbitrary code using the CVE-2023-24955 vulnerability, resulting in remote code execution on the target SharePoint server.
In a separate development, Valentin Lobstein, a cybersecurity student at Oteria Cyber School in France, posted proof-of-concept code on GitHub that demonstrates how an attacker could gain admin privileges on unpatched SharePoint Server 2019 systems via CVE-2023-29357. Although Lobstein’s exploit focuses solely on privilege escalation, it can be combined with CVE-2023-24955 to compromise the confidentiality, integrity, and availability of an affected SharePoint server. This could potentially lead to a denial of service (DoS) or unauthorized access to sensitive information.
Lobstein clarifies that his proof-of-concept is different from the one described by the researchers at StarLabs. He also points out another proof-of-concept released by Vietnamese security firm VNPT Information Technology Company, which also demonstrates how the “None” algorithm can be used to spoof JWT tokens and elevate privileges.
The disclosure of these exploits raises concerns about the security of SharePoint Server, particularly version 2019. Microsoft has previously advised organizations to enable the Anti-Malware Scan Interface (AMSI) integration feature on SharePoint and utilize Microsoft Defender as a protective measure against CVE-2023-29357. Immediate action is strongly recommended for organizations running SharePoint Server, as the availability of the exploit increases the likelihood of malicious actors exploiting these vulnerabilities.
Microsoft has not yet provided a comment on these disclosures. Security experts urge organizations to take proactive steps to secure their SharePoint environments and protect against potential attacks.