Authentication Bypass, Then Escalation
On the tail of a big Windows RCE – Microsoft SharePoint Server, a widely used web application platform, faces potential jeopardy from a critical authentication bypass vulnerability, identified as CVE-2023-29357. To the layperson, it means that with low-complexity attacks, unauthenticated hackers could potentially gain administrator privileges without needing the user to perform any action.
This security flaw revolves around the misuse of spoofed JWT authentication tokens. The exploit grants an attacker the ability to gain access as an authenticated user, an equivalent of a con artist slipping past a red-carpet event’s security using a photocopied VIP pass.
Multiple Exploitation Opportunities
This worrisome loophole was first highlighted in June when Microsoft released a patch to fix the problem. Interestingly, this isn’t the only bug that hackers could potentially exploit.
In a playout reminiscent of a cybernetic detective unraveling a case, STAR Labs researcher Nguyễn Tiến Giang, better known as Janggggg, deftly analyzed a chain of vulnerabilities. His narrative includes not just CVE-2023-29357, but also another key protagonist, CVE-2023–24955. The latter enables remote code execution via command injection, a tactic similar to sending a rogue agent into enemy territory.
Janggggg’s sharp skills were proven during the hackathon equivalent of the Olympics – the March 2023 Pwn2Own contest in Vancouver. He successfully executed a remote code execution on a Microsoft SharePoint Server using this chain of exploits, a feat that earned him a $100,000 reward.
Shortly after Janggggg publicized his technical analysis, an exploit turned up on GitHub for the CVE-2023-29357 privilege escalation vulnerability. While this exploit doesn’t grant immediate remote code execution, the author hinted that it could be paired with the CVE-2023-24955 command injection bug to achieve that objective.
For the Defenders
Cardboard Knight Will
Protect All The Cardboard!
For those playing defense, there are tools available too. A YARA rule can help network defenders analyze logs for signs of potential exploitation on their SharePoint servers. However, with the complete technical details for both flaws now publicly disclosed by Janggggg, it’s a ticking clock before other security researchers or threat actors replicate the full chain to attain full remote code execution.
Moreover, while the GitHub exploit is meant solely for educational purposes and lawful and authorized testing, it highlights the urgency for protective actions. It offers a glimpse into the traditionally opaque world of hacking, much like opening a Pandora’s box, showcasing what is possible.
The best possible immediate action is to apply the security patches that Microsoft pre-emptively released. Brushing off the implications of these vulnerabilities equates to leaving your digital doors wide open, inviting all sorts of cyber risks into your system. It’s a stern reminder that constant vigilance is necessary in our increasingly digital world.
