CVE-2023-29357: SharePoint Server Privilege Escalation Vulnerability

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

In June 2023, Microsoft released patches to address security issues found in Microsoft SharePoint [1]. CVE-2023-29357 is a critical privilege escalation vulnerability that can be leveraged to remote code execution when combined with other vulnerabilities. Since CVE-2023-29357 has a CVSS score of 9.8 (Critical) and publicly available proof-of-concept (PoC), organizations are advised to update their vulnerable SharePoint Servers as soon as possible.

In this blog, we explained how the Microsoft SharePoint CVE-2023-29357 exploit works.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

What is Microsoft SharePoint CVE-2023-29357 Elevation of Privilege Vulnerability?

Microsoft releases patches for its products on the second Tuesday of every month. This is called Patch Tuesday. On Patch Tuesday of June 2023, Microsoft released a security patch for a privilege escalation vulnerability found in Microsoft SharePoint. CVE-2023-29357 allows an unauthenticated attacker to gain administrator-level privileges when exploited. The vulnerability has a CVSS score of 9.8 (Critical) and can be chained with a code injection vulnerability for remote code execution in vulnerable SharePoint servers. Organizations are advised to patch their SharePoint Server 2019 products to build 16.0.10399.20005 or higher.

CVE-2023-29357 is an authentication bypass vulnerability that adversaries may use to impersonate any SharePoint user. If the impersonated user is a privileged account, such as an administrator, the attacker will gain elevated privileges in the victim's network. In the wild, adversaries may chain CVE-2023-29357 vulnerability with other vulnerabilities for remote code execution.

How Does Microsoft SharePoint CVE-2023-29357 Exploit Work?

CVE-2023-29357 is an authentication bypass vulnerability that allows adversaries to impersonate any valid SharePoint user. This vulnerability stems from the signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic flaw in the ReadTokenCore() method. As an example, the spoofed and Base64-decoded JWT token is given below. This spoofed token is used to impersonate the Administrator user.

{"alg": "none"}

{"iss":"00000003-0000-0ff1-ce00-000000000000",

"aud":  "00000003-0000-0ff1-ce00-000000000000/splab@3b80be6c-6741-4135-9292-afed8df596af",

"Nbf":"1673410334",

"Exp":"1693410334",

"nameid":"c#.w|Administrator",

"http://schemas.microsoft.com/sharepoint/2009/08/claims/userlogonname":"Administrator",

"Appidacr":"0",

"isuser":"0", "http://schemas.microsoft.com/office/2012/01/nameidissuer":"AccessToken",

"Ver":"hashedprooftoken",

"endpointurl": "FVIwBWTuuWfszO7WYRZYiozMe8OaSaWO/wyDR3W6e94=",

"name":"f#xw|Administrator",

"identityprovider":"windOws:aaaaa",

"userid":"asaadasd"}

After impersonating the administrator user, there are several things that an adversary can do in SharePoint API. One of them is to abuse another vulnerability that allows code injection. CVE-2023-24955 is a remote code execution vulnerability that has a CVSS score of 7.2 (High). Since the impersonated account is a privileged account, attackers can replace the "/BusinessDataMetadataCatalog/BDCMetadata.bdcm" in the web root directory. The replaced file is then compiled and executed by SharePoint, allowing attackers to remotely execute commands via SharePoint API.

There are publicly available proof-of-concept (PoC) for CVE-2023-29357, and cyber threat actors are often quick to abuse known and critical vulnerabilities before organizations can patch them. Therefore, organizations are urged to patch their SharePoint servers as soon as possible.

How Picus Helps Simulate Microsoft SharePoint CVE-2023-29357 Attacks?

We also strongly suggest simulating Microsoft SharePoint CVE-2023-29357 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, ProxyShell, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Microsoft SharePoint CVE-2023-29357 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

95895

Microsoft Sharepoint Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Microsoft SharePoint vulnerabilities and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Microsoft SharePoint vulnerabilities:

Security Control

Signature ID

Signature Name

Checkpoint NGFW

asm_dynamic_prop_XSS_SCAN

Cross-Site Scripting Scanning Attempt

Checkpoint NGFW

asm_dynamic_prop_CVE_2020_0646

Microsoft .NET Framework Remote Code Execution (CVE-2020-0646)

Checkpoint NGFW

asm_dynamic_prop_CVE_2020_0932

Microsoft SharePoint Remote Code Execution (CVE-2020-0932)

Checkpoint NGFW

asm_dynamic_prop_CVE_2020_16952

Microsoft SharePoint Remote Code Execution (CVE-2020-16952)

Checkpoint NGFW

asm_dynamic_prop_CVE_2013_0081

Microsoft SharePoint W3WP Denial of Service (MS13-067)

Cisco Firepower

1.1288.18

SERVER-OTHER Microsoft Frontpage /_vti_bin/ access

Cisco Firepower

1.27818.3

SERVER-OTHER Microsoft SharePoint denial of service attempt

Cisco Firepower

1.61937.1

SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Citrix

1288

bash code injection vulnerability

Citrix

999979

web-frontpage /_vti_bin/ access

Citrix

1288

web-frontpage /_vti_bin/ access

Citrix

998639

web-misc microsoft sharepoint server - elevation of privilege vulnerability via authorization header (cve-2023-29357)

F5 BIG-IP

200004515

ASP.NET code injection - Process.Start (Parameter)

F5 BIG-IP

200004513

ASP.NET code injection - System.Diagnostics.Process.Start (Parameter)

F5 BIG-IP

200001490

confirm() (URI)

Forcepoint NGFW

 

HTTP_CSH-Microsoft-Sharepoint-Authentication-Bypass-CVE-2023-29357

Forcepoint NGFW

 

HTTP_CSU-Microsoft-Sharepoint-Denial-Of-Service-Vulnerability

Forcepoint NGFW

 

HTTP_CSU-Microsoft-SharePoint-Remote-Code-Execution

Fortigate IPS

47918

applications3: MS.SharePoint.CVE-2019-0604.Remote.Code.Execution

Fortigate IPS

48866

applications3: MS.SharePoint.Workflows.XOML.Remote.Code.Injection

Fortigate WAF

10000150

Cross Site Scripting

Fortigate WAF

20000153

Cross Site Scripting (Extended)

Fortigate IPS

37010

web_server: MS.SharePoint.Server.Infinite.Looping.DoS

Fortiweb

10000150

Cross Site Scripting

Imperva SecureSphere

 

CVE-2019-0604: Microsoft SharePoint Remote Code Execution

Imperva SecureSphere

 

WEB-IIS cmd.exe access

Mcafee

0x4529fc00

HTTP: Microsoft ASP.NET Framework Remote Code Execution Vulnerability

Mcafee

0x45261c00

HTTP: Microsoft SharePoint Remote Code Execution (CVE-2019-0604)

Mcafee

0x45286000

HTTP: Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-16952)

Mcafee

0x452cff00

HTTP: Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2023-33134)

Mcafee

0x4510e800

HTTP: Microsoft SharePoint ws asmx Denial of Service Vulnerability

Modsecurity

932200

RCE Bypass Technique

Modsecurity

932150

Remote Command Execution: Direct Unix Command Execution

Modsecurity

932105

Remote Command Execution: Unix Command Injection

Palo Alto

57656

Microsoft .Net Framework Remote Code Execution Injection Vulnerability

Palo Alto

36107

Microsoft SharePoint Denial of Service Vulnerability

Palo Alto

94077

Microsoft SharePoint Server Remote Code Execution Vulnerability

Snort

1.2027345.3

ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604)

Snort

1.1288.18

SERVER-OTHER Microsoft Frontpage /_vti_bin/ access

Snort

1.27818.3

SERVER-OTHER Microsoft SharePoint denial of service attempt

Snort

1.55862.2

SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt

Snort

1.61937.1

SERVER-WEBAPP Microsoft SharePoint OAuth authentication bypass attempt

Tippingpoint

13163

HTTP:  Microsoft SharePoint Server ws.asmx Page Request

Tippingpoint

38083

HTTP: Microsoft .NET Framework Code Execution Injection Vulnerability

Tippingpoint

42544

HTTP: Microsoft SharePoint Authentication Bypass Vulnerability (Pwn2Own ZDI-23-882)

Tippingpoint

33692

HTTP: Microsoft SharePoint EntityInstanceIdEncoder Deserialization Vulnerability (ZDI-19-181)

Tippingpoint

42000

UDP: YSoSerial.Net Deserialization Tool Usage

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "Security Update Guide - Microsoft Security Response Center." Available: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29357. [Accessed: Sep. 27, 2023]