Orgs should immediately apply the patches that Microsoft issued for the flaws if they haven’t done so already.
Researchers at Singapore-based StarLabs have released details of a chained remote code execution exploit they developed for two critical flaws in Microsoft SharePoint server that they previously discovered and disclosed to the company.
Microsoft patched one of the flaws (CVE-2023-29357) in June and the other (CVE-2023-24955) in May.
Elevation of Privilege and RCE Vulnerabilities
CVE-2023-29357 is an escalation of privilege vulnerability in SharePoint Server 2019 that allows an unauthenticated attacker to gain administrator-level privileges on affected systems without any user interaction. NIST’s National Vulnerability Database has assigned the vulnerability a severity rating of 9.8 out of 10 on the CVSS scale. CVE-2023-24955 is a remote code execution bug that affects SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016 and Microsoft SharePoint Server Subscription Edition.
StarLabs security researcher Nguyễn Tiến Giang aka Jang discovered both vulnerabilities and reported them to Microsoft—one of them earlier this year and the other in Feb. 2022. He first demonstrated an exploit chain for the two vulnerabilities at the Pwn2Own hacking contest in Vancouver this March. On Sept. 25 Jang published a technical report describing how he first exploited CVE-2023-29357 to gain “SharePoint Owners” permissions on an affected system and then used the administrator privilege to inject arbitrary code into the SharePoint instance via CVE-2023-24955.
Pre-Auth Exploit Chain
“Chaining the two bugs together, an unauthenticated attacker is able to achieve remote code execution (RCE) on the target SharePoint server,” Jang said.
In the researcher’s words CVE-2023-29357 allowed him to use the “none” signing algorithm to spoof valid JSON Web Tokens (JWTs) and bypass OAuth authentication mechanisms and elevate privileges from that of an unauthenticated user to “Sharepoint Owners” permissions or that of an administrator. In the context of JWT the “none” algorithm basically indicates the token is digitally unsigned. Jang then used the “SharePoint Owners” permissions to inject arbitrary code by replacing a specific file (/BusinessDataMetadataCatalog/BDCMetadata.bdcm) in the root directory.
Though Jang’s demo at Pwn2Own itself took a brief 30 seconds, the researcher said it took him a year’s worth of effort and collaboration with researchers at Trend Micro’s Zero Day Initiative—the organizers of Pwn2Own—to develop the exploit chain. The biggest challenge according to him was finding a way to leverage the access that CVE-2023-29357 provided to the SharePoint API, to then gain pre-auth RCE.
Separate PoC for Elevation of Privilege Bug Posted to GitHub
Meanwhile, another researcher—Valentin Lobstein, a student at France’s Oteria Cyber School—published on GitHub proof of concept code that he had independently developed for the privilege elevation vulnerability (CVE-2023-29357). Lobstein described his PoC as showing how an attacker could leverage the flaw to execute arbitrary code. “The exploit script facilitates the impersonation of authenticated users, allowing attackers to execute arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account, potentially causing a denial of service (DoS),” Lobstein said. “The script outputs details of admin users with elevated privileges and can operate in both single and mass exploit modes.”