Researchers Release Details of New RCE Exploit Chain for SharePoint

Researchers who discovered two critical vulnerabilities in Microsoft SharePoint Server have released details of an exploit they developed that chains the two vulnerabilities together to enable remote code execution on affected servers.

Separately, another security researcher this week posted proof-of-concept code on GitHub for one of the SharePoint vulnerabilities that shows how an attacker could exploit the flaw to gain admin privileges on vulnerable systems.

Two Critical Flaws

One of the vulnerabilities, tracked as CVE-2023-29357, is an elevation of privilege flaw in SharePoint Server 2019 for which Microsoft issued a patch in its monthly security update for June. The vulnerability gives an unauthenticated attacker a way to use a spoofed JSON Web Token (JWT) to bypass authentication checks and gain administrator privileges on an affected SharePoint server. The attacker needs no privileges nor is any user interaction required to exploit the flaw.

The other flaw, identified as CVE-2023-24955, is a remote code execution (RCE) vulnerability that Microsoft patched in May. It allows remote attackers to execute arbitrary code on SharePoint Sever 2019, SharePoint Server 2016, and SharePoint Server Subscription Edition.

Microsoft has described both flaws as being of critical severity and as vulnerabilities that threat actors were more likely to exploit in coming months. NIST’s National Vulnerability Database (NVD) has assigned a 9.8 severity rating for CVE-2023-29357 and a 7.3 rating for the RCE flaw. According to the Internet scanning platform Censys, there are currently more than 100,00 Internet-exposed SharePoint servers that could be affected by the flaws.

Pre-Authentication RCE Exploit Chain

Researchers from Singapore-based StarLabs who reported both flaws to Microsoft this week released details of an exploit chain they had developed that allowed them to use the vulnerabilities to gain pre-authentication RCE on affected systems. They first demonstrated the exploit at Pwn2own Vancouver in March.

In a technical paper, one of the researchers described how they first spoofed a valid JWT token using the “None” signing algorithm to impersonate a user with administrative privileges in a SharePoint Server 2019 instance. The “None” signing algorithm basically means a JWT token is digitally unsigned and, therefore, can be modified without detection. The StarLabs researchers then described how they were able to use those privileges to inject arbitrary code via the CVE-2023-24955 vulnerability. “Chaining the two bugs together, an unauthenticated attacker is able to achieve remote code execution (RCE) on the target SharePoint server,” StarLabs security researcher Nguyễn Tiến Giang said.

Separate PoC on GitHub

Separately, another independent security researcher, Valentin Lobstein, a cybersecurity student at Oteria Cyber School in France, also posted proof-of-concept code this week on GitHub that showed how an attacker could gain admin privileges on unpatched SharePoint Server 2019 systems via CVE-2023-29357. Lobstein’s exploit focused purely on privilege escalation. But attackers could chain the exploit with CVE-2023-24955 to compromise the confidentiality, integrity, and availability of an affected SharePoint server, he said. “The exploit script facilitates the impersonation of authenticated users, allowing attackers to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account, potentially causing a denial of service (DoS),” he wrote. It shows how an attacker could access details of admin users with elevated privileges, but not how someone could use it to enable RCE on affected systems.

In comments to Dark Reading, Lobstein says his PoC is different from the one that the researchers from StarLabs described in their technical paper this week. He points to another PoC that researchers from Vietnamese security firm VNPT Information Technology Company released August 31 that also showed how an attacker could use the “None” algorithm to spoof JWT tokens and elevate privileges.

“When [an attacker is] operating under administrative privileges, several critical outcomes are conceivable,” Lobstein says. A malicious admin could delete organizational data or corrupt it in multiple ways, they could access and exfiltrate sensitive data, or alter user and group permissions to cause widespread disruptions in SharePoint environments, he says.

Microsoft did not respond immediately to a Dark Reading request for comment. The company has previously recommended that organizations enable the Anti-Malware Scan Interface (AMSI) integration feature on SharePoint and use Microsoft Defender as a protective measure against CVE-2023-29357.

“For organizations running SharePoint Server, especially version 2019, immediate action is vital,” SOCRadar said in a blog. “With the exploit now publicly accessible, the likelihood of malicious entities leveraging it has substantially increased.”