CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 724
- Points
- 113
Patches have been released for a long time, but can exploits "wake up the beast"?
Researchers have identified two critical vulnerabilities in Microsoft SharePoint Server and developed an exploit that allows code to be executed remotely on the affected servers.
CVE-2023-29357 (CVSS 9.8.) is a privilege escalation vulnerability in SharePoint Server 2019. To fix it, Microsoft released a patch in June. The flaw allows an attacker to bypass authentication mechanisms and gain extended rights without interacting with the user.
CVE-2023-24955 (CVSS 7.3.) refers to remote code execution. Microsoft eliminated it back in May. The vulnerability affects SharePoint Server 2019, 2016, and SharePoint Server Subscription Edition.
Both issues are considered critical. According to the Censys platform, more than 100,000 SharePoint servers available on the Internet are potentially at risk.
Researchers from StarLabs published details of the exploit, demonstrating exactly how the detected defects can be applied to remote code execution without prior authentication.
We started by creating a fake JWT token. Using the "None" signature algorithm, we managed to generate an ID that simulates administrator rights. It is important to note that this algorithm allows you to change the token without detection, since it does not require a digital signature. A fake key allowed the software to run on the server using the vulnerability CVE-2023-24955.
Valentin Lobstein, an independent expert from the Oteria Cyber School, published a proof-of-concept code on GitHub demonstrating the exploitation of CVE-2023-29357. This code shows how an attacker can pretend to be a legitimate user and gain extended rights on non-updated SharePoint systems.
In an interview with Dark Reading, Lobstein explained that such attacks can lead to serious consequences: from loss of confidential data to denial of service (DoS).
He also mentioned another exploit submitted by the VNPT Information Technology Company team.
Microsoft has yet to comment. However, the company previously recommended activating the AMSI integration feature on SharePoint and using Microsoft Defender as a precaution against CVE-2023-29357.
SOCRadar said in a blog post: "It is important for organizations using SharePoint Server, particularly version 2019, to take action as soon as possible. Since the exploit was published, the risks of malicious users using it have increased significantly."
Researchers have identified two critical vulnerabilities in Microsoft SharePoint Server and developed an exploit that allows code to be executed remotely on the affected servers.
CVE-2023-29357 (CVSS 9.8.) is a privilege escalation vulnerability in SharePoint Server 2019. To fix it, Microsoft released a patch in June. The flaw allows an attacker to bypass authentication mechanisms and gain extended rights without interacting with the user.
CVE-2023-24955 (CVSS 7.3.) refers to remote code execution. Microsoft eliminated it back in May. The vulnerability affects SharePoint Server 2019, 2016, and SharePoint Server Subscription Edition.
Both issues are considered critical. According to the Censys platform, more than 100,000 SharePoint servers available on the Internet are potentially at risk.
Researchers from StarLabs published details of the exploit, demonstrating exactly how the detected defects can be applied to remote code execution without prior authentication.
We started by creating a fake JWT token. Using the "None" signature algorithm, we managed to generate an ID that simulates administrator rights. It is important to note that this algorithm allows you to change the token without detection, since it does not require a digital signature. A fake key allowed the software to run on the server using the vulnerability CVE-2023-24955.
Valentin Lobstein, an independent expert from the Oteria Cyber School, published a proof-of-concept code on GitHub demonstrating the exploitation of CVE-2023-29357. This code shows how an attacker can pretend to be a legitimate user and gain extended rights on non-updated SharePoint systems.
In an interview with Dark Reading, Lobstein explained that such attacks can lead to serious consequences: from loss of confidential data to denial of service (DoS).
He also mentioned another exploit submitted by the VNPT Information Technology Company team.
Microsoft has yet to comment. However, the company previously recommended activating the AMSI integration feature on SharePoint and using Microsoft Defender as a precaution against CVE-2023-29357.
SOCRadar said in a blog post: "It is important for organizations using SharePoint Server, particularly version 2019, to take action as soon as possible. Since the exploit was published, the risks of malicious users using it have increased significantly."
