New Exploit Emerges For A Previously Patched SharePoint Vulnerability

Months after Microsoft patched a remote code execution vulnerability in SharePoint, a new way to exploit it has surfaced online. Identified as a separate bug, this vulnerability again demands users’ attention for applying patches.

New SharePoint Vulnerability Exploit Discovered

Security researcher Nguyễn Tiến Giang (Jang) from StarLabs has shared insights about a new exploit for a known SharePoint vulnerability.

Specifically, Microsoft patched a remote code execution vulnerability CVE-2022-22005 in SharePoint with February Patch Tuesday updates. As explained at that time, exploiting the vulnerability required the attacker to have authenticated access and page creation permissions.

Upon observing the recent bug, the researcher initially deemed it the same as CVE-2022-22005. However, analyzing it further made the newly discovered bug appear as a slightly different issue. Identified as CVE-2022-29108, exploiting this bug could become possible when an adversary would create a SharePoint List using Infopath and upload a malicious file on the target server. Describing the latter step, the researcher stated in his post,

Upload a file in the Attachments section, with the main file’s content is the gadgetchain that will be used to deserialize, here I use the TypeConfuseDelegate gadget to get RCE.

The other steps to exploit the flaw remained similar to those for exploiting CVE-2022-22005, as detailed by Viettel Security.

The following video demonstrates the bug exploitation as PoC. Besides, the researcher has shared the relevant technical details about the exploit in his blog post.

Microsoft Patched The Flaw

Following this bug discovery, the researcher contacted Microsoft, informing them of the bug. In response, the tech giant patched the vulnerability with May updates, acknowledging it as an important severity vulnerability that received a CVSS score of 8.8.

Describing the bug, Microsoft’s advisory reads,

The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients