In recent months, several vulnerabilities in SharePoint have been identified and documented, including CVE-2023-29357 and CVE-2023-24955. Security researchers at STAR Labs in Singapore have demonstrated the use of these vulnerabilities to achieve pre-auth remote code execution on a SharePoint server. You can review their research here.
Exploiting these vulnerabilities allows a potential threat actor to bypass authentication by impersonating a legitimate user. They can then inject code into root directories which is then executed by SharePoint.
CVE-2023-29357
CVE-2023-29357 was published in June 2023. It details a vulnerability in Microsoft SharePoint which allows for a threat actor to elevate their privilege on a vulnerable server to administrator level.
The vulnerability affects Microsoft SharePoint Server 2019.
A threat actor, with access to spoofed JWT authentication tokens, is able to undertake a network attack which can bypass authentication. This allows them to gain access to a server, with the privileges of a legitimate, authenticated user.
Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible. Those who have enabled AMSI integration and use Microsoft Defender are protected.
Python scripts have been identified within online repositories which seek to exploit this vulnerability, and further suggest combining it with CVE-2023-24955 to achieve Remote Code Execution. An example can be found here.
CVE-2023-24955
CVE-2023-24955 was published in May 2023. It concerns a vulnerability in Microsoft SharePoint which allows for the remote execution of code on a SharePoint server by an authenticated threat actor.
Microsoft has issued several security updates to combat the vulnerability and these should be installed and implemented as soon as possible.