Microsoft SharePoint Server Vulnerabilities Chained to Achieve Remote Code Execution

Microsoft SharePoint Server was reported with two vulnerabilities, CVE-2023-29357 and CVE-2023-24955, which threat actors can use for achieving remote code execution (RCE) against Microsoft SharePoint Server.

These vulnerabilities were discovered as part of the Zero Day Initiative’s Pwn2Own contest conducted in March 2023. The STAR labs team was able to find this vulnerability and were rewarded $100,000 for their finding.

However, security researcher Nguyễn Tiến Giang published a GitHub repository containing the proof-of-concept (PoC) for the exploit chain, which could chain these two vulnerabilities to achieve successful remote command execution.

FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Free Demo

CVE-2023-29357 & CVE-2023-24955 – Technical Analysis

CVE-2023-29357 was a Privilege Escalation vulnerability that existed on the Microsoft SharePoint Server, which threat actors can exploit by sending a spoofed JWT (JSON Web Token) authentication token to the Microsoft SharePoint Server, which could elevate their privileges. This vulnerability had a severity of 9.8 (Critical). 

CVE-2023-24955 was a Remote Command Execution vulnerability affecting the same Microsoft SharePoint Server and had a severity of 7.2 (High). Microsoft patched both of these vulnerabilities as part of their May and June security patches.

Exploit Chain

After conducting several research for over a year, security researcher Jang combined the authentication bypass vulnerability with the code injection vulnerability, which resulted in an unauthenticated RCE on the Microsoft SharePoint Server. A Proof-of-concept video was also published, which demonstrated the attack and exploitation. 

Additionally, it was worth noting that the security researchers made sure that the publicly available proof-of-concept does not achieve unauthenticated RCE, as threat actors can indulge in various malicious activities with a publicly available exploit.

Users of the Microsoft SharePoint server are recommended to patch these vulnerabilities by following the Microsoft Security patch released every second Tuesday of every month.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.