A proof-of-concept (PoC) recently surfaced chaining together two vulnerabilities in Microsoft’s SharePoint platform. The ﬂaws are tracked as CVE-2023-29357 and CVE-2023-24955 and could be combined to perform unauthenticated remote code execution, which could lead to data theft and other types of attacks. Cybersixgill collected the PoC for the ﬂaw posted on GitHub, which threat actors could potentially leverage to exploit unpatched systems.
During the last week of September, a proof-of-concept (PoC) exploit code appeared on GitHub for a critical authentication bypass vulnerability (CVE-2023-29357) in Microsoft SharePoint Server. Researchers reported that threat actors could exploit CVE-2023-29357 by sending spoofed JWT authentication tokens to Microsoft SharePoint Server, enabling privilege escalation. The PoC incorporates a second vulnerability (CVE-2023-24955), allowing for remote code execution (RCE) through command injection. While unauthenticated threat actors could potentially exploit the vulnerabilities to gain administrator privileges and execute network attacks, reports of actual attacks did not initially surface.
With that being said, a security researcher achieved RCE on a Microsoft SharePoint Server using the CVE-2023-29357/24955 exploit chain during a major Canadian hacking contest, taking home a hefty cash reward. Shortly thereafter, the PoC appeared on GitHub, which is discussed in the section that follows. While Microsoft previously released ﬁxes for the ﬂaws, the emergence of the PoC signiﬁcantly increases the risk that threat actors will exploit unpatched systems.
The SharePoint vulnerabilities represent the latest chained ﬂaws affecting popular Microsoft products, arriving almost a year after the software giant was rocked by the ProxyNotShell ﬂaws, which encompassed CVE-2022-41040 and CVE-2022-41082. These two high-severity vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019 and were chained together by threat actors to escalate privileges, gain RCE access on compromised servers, and ultimately deploy malware.
Attackers reportedly chained the two ProxyNotShell ﬂaws to deploy a well-known web shell for data theft and persistence. ProxyNotShell also facilitated lateral movement on victims' networks. The same web shells have also been used to target SharePoint servers. According to researchers who observed the attacks, the ProxyNotShell vulnerabilities allowed attackers to perform RCE on compromised systems. Cybersixgill observed a member of a popular Russian cybercrime forum advertising a ProxyNotShell exploit for $50,000.
Figure 1: PoC for CVE-2023-29357/24955 posted on GitHub
The Cybersixgill Investigative Portal collected the GitHub repository containing the PoC for the CVE-2023-29357/24955 vulnerabilities, which threat actors could ostensibly leverage to achieve full remote code execution. The GitHub user who posted the PoC published 46 repositories as of October 1, 2023, identifying himself as an “ethical hacker and cybersecurity enthusiast.”
The user added a disclaimer on the repository that the script “does not contain functionalities to perform RCE and is meant solely for educational purposes and lawful and authorized testing.” Regardless, the security researcher who achieved RCE on a SharePoint Server during the hacking contest last week posted a video demonstrating the exploitation of CVE-2023-29357/24955. With technical details available for both ﬂaws, open source (OSNT) reports posited that full remote code execution and exploitation by threat actors is thus inevitable.
The following screenshots display the CVE-2023-29357/24955 vulnerabilities scorecards on Cybersixgill’s CVEs Module. As of October 1, 2023, Cybersixgill’s CVEs Module assigned CVE-2023-29357 a critical score (9.03), indicating the threat posed by the ﬂaw to unpatched systems. Similarly, the Common Vulnerability Scoring System (CVSS) assigned the RCE vulnerability a critical score (9.8), which is likely higher than the CVEs Module score because Cybersixgill’s mechanism take into account factors such as chatter on the underground and other features the CVSS score does not evaluate.
Figure 2: The CVE-2023-29357 vulnerability scorecard on the Cybersixgill DVE Module
The severity of CVE-2023-29357/24955 means that chatter on the underground will likely continue, as threat actors historically have tried to exploit similar vulnerabilities. Indeed, it is highly anticipated that cybercriminals will continue to try to exploit CVE-2023-29357. Therefore, all organizations must prepare for such scenarios and bolster their systems’ security by implementing the following best practices:
● Immediately patch all products as soon as a vulnerability is disclosed.
● Use research teams to proactively detect potential vulnerabilities residing on corporate networks that could be exploited and immediately mitigate risks.
● Run the most updated and safest versions of all computing elements.
● Create data copies and backups on external servers that are isolated from the business network to reduce the impact of possible ransomware attacks.
● Instruct employees not to click on links or attachments from suspicious emails and implement regular security training to raise awareness so that social engineering attacks can be thwarted.
 Microsoft SharePoint Server is a platform for document management, collaboration, and content management, which is used for creating intranet sites, team sites, and apps.
 A JSON web token (JWT) is used for authentication and authorization in applications. JWTs are frequently used to authenticate users via the authorization header of an HTTP request and decoding and verification on the server side.
 Threat actors use remote code execution to control systems and networks to which they lack direct access.
 The researchers who detected the September 2022 attacks suspected that a Chinese threat group was responsible for the attacks based on the web shells' code page, which included Microsoft character encoding for simplified Chinese.