Proof-of-concept exploit code has surfaced on GitHub for a essential authentication bypass vulnerability in Microsoft SharePoint Server, permitting privilege escalation.
Tracked as CVE-2023-29357, the safety flaw can let unauthenticated attackers acquire administrator privileges following profitable exploitation in low-complexity assaults that do not require consumer interplay.
“An attacker who has gained entry to spoofed JWT authentication tokens can use them to execute a community assault which bypasses authentication and permits them to realize entry to the privileges of an authenticated consumer,” Microsoft defined in June when it patched the vulnerability.
“An attacker who efficiently exploited this vulnerability may acquire administrator privileges. The attacker wants no privileges nor does the consumer must carry out any motion.”
On September 25, STAR Labs researcher Nguyễn Tiến Giang (Janggggg) revealed a technical evaluation describing the exploitation course of for a sequence of vulnerabilities.
These embody the CVE-2023-29357 bug and a second essential flaw recognized as CVE-2023–24955, which facilitates distant code execution by way of command injection.
Janggggg efficiently achieved RCE on a Microsoft SharePoint Server utilizing this exploit chain in the course of the March 2023 Pwn2Own contest in Vancouver, incomes a $100,000 reward.
A day after the technical evaluation was made public, a proof-of-concept exploit for the CVE-2023-29357 privilege escalation vulnerability surfaced on GitHub.
Though this exploit doesn’t grant attackers distant code execution, because it doesn’t cowl all the exploit chain demonstrated at Pwn2Own Vancouver, the creator clarifies that attackers may probably mix it with the CVE-2023-24955 command injection bug to realize this goal.
“The script outputs particulars of admin customers with elevated privileges and may function in each single and mass exploit modes,” the exploit’s developer says.
“Nevertheless, to keep up an moral stance, this script doesn’t include functionalities to carry out RCE and is supposed solely for academic functions and lawful and approved testing.”
A YARA rule can also be out there to assist community defenders analyze logs for indicators of potential exploitation on their SharePoint servers utilizing the CVE-2023-29357 PoC exploit.
Regardless of the prevailing exploit not granting speedy distant code execution capabilities, it’s extremely really helpful to use the safety patches issued by Microsoft earlier this yr as a safety measure in opposition to potential assaults.
Now that Janggggg has launched technical particulars for each flaws, it’s only a matter of time earlier than risk actors or different safety researchers reproduce the total exploit chain to realize full distant code execution.