module
Sharepoint Dynamic Proxy Generator Unauth RCE
| Disclosed | Created |
|---|---|
| 2023-05-01 | 2024-03-26 |
Disclosed
2023-05-01
Created
2024-03-26
Description
This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched
in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023.
The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the
signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing
algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic
flaw in the ReadTokenCore() method.
After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to
exploit CVE-2023-24955. This authenticated RCE vulnerability leverages the impersonated privileged account to
replace the "/BusinessDataMetadataCatalog/BDCMetadata.bdcm" file in the webroot directory with a payload. The
payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API.
in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023.
The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the
signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing
algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic
flaw in the ReadTokenCore() method.
After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to
exploit CVE-2023-24955. This authenticated RCE vulnerability leverages the impersonated privileged account to
replace the "/BusinessDataMetadataCatalog/BDCMetadata.bdcm" file in the webroot directory with a payload. The
payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API.
Authors
Jang
jheysel-r7
jheysel-r7
Platform
Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.