CVE-2023-29357: Privilege Escalation with Microsoft SharePoint Server PoC + Exploit

Proof-of-concept (PoC) exploit code has been released for a critical CVE-2023-29357 vulnerability allowing the elevation of privilege without authentication in Microsoft SharePoint Server products.

With an alarming CVSS score of 9.8, this flaw isn’t just another routine bug but a *critical* vulnerability that poses a real threat to businesses operating on Microsoft SharePoint. What makes this flaw particularly noteworthy? It grants malefactors the ability to gain elevated privileges on a system, without any prior authentication.

In layman’s terms, by merely sending a skillfully constructed request, attackers can potentially earn administrative privileges, presenting them with the golden key to access your organization’s data vault.

Microsoft’s official advisory reveals the modus operandi of this vulnerability. It reads, “An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user.”

This basically underlines the grave danger posed by the vulnerability, allowing attackers to act under the facade of authenticated users.

It’s essential to commend the individuals who keep the digital realm secure. Jang (Nguyễn Tiến Giang) of StarLabs SG is the knight in shining armor who brought this vulnerability to light. On September 25th, Jang shared the intricate technical details surrounding this flaw.

Today, Chocapikk, a renowned security researcher, delivered an urgent message to all SharePoint admins: he’s created a proof-of-concept (PoC) exploit for CVE-2023-29357. This script particularly homes in on exploiting the elevation of privilege flaw in Microsoft SharePoint Server.

What deepens the concern is the potential to combine this flaw with another vulnerability, the Remote Code Execution (RCE) CVE-2023–24955. This deadly combination can devastate the three pillars of security: integrity, availability, and confidentiality.

Chocapikk’s exploit script notably allows the impersonation of authenticated users, potentially leading to arbitrary code execution within the SharePoint framework. This can result in a full-blown denial of service (DoS) attack. However, it’s worth noting the script’s intended use. As Chocapikk states, “This script does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing.”

Microsoft has acknowledged the vulnerability and issued a patch. However, it is important to note that attackers may be aware of the vulnerability and could begin exploiting it before a patch is available. Therefore, it is important for users to take steps to mitigate the risk of exploitation.

If you believe that your SharePoint Server has been exploited, you should take the following steps:

1. Isolate the affected server. This will prevent the attacker from gaining access to other servers on your network.
2. Gather evidence. This may include collecting log files and other data that may help you to identify the attacker and determine the extent of the damage.
3. Contact Microsoft or a qualified security professional for assistance. They will be able to help you to investigate the incident and take steps to mitigate the damage.