lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 10 Jun 2011 14:30:37 -0700
From: bede@...fus.net
To: bugtraq@...urityfocus.com
Subject: Javascript Injection in Microsoft Lync 4.0.7577.0


============================================================================
Foofus.net Security Advisory: foofus-20110610
============================================================================
Title:		Javascript Injection in Microsoft Lync
Version:	4.0.7577.0
Vendor:		Microsoft
Release Date:	2010-06-10
Issue Status:	Fix available
============================================================================

1. Summary

Microsoft Lync version 4.0.7577.0 is vulnerable to a javascript injection
vulnerability.


2. Description

Javascript commands can be stacked within the url in the "reachLocale"
variable in ReachJoin.aspx.  Arbitrary javascript can be inserted, with
some restrictions (notably that characters such as ">" will invoke .NET
security protections and cause the page to fail to display)


3. Proof of Concept

The following URL will load an image in a new window or tab, as well as
display an alert with arbitrary content:

https://[target]/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29//

Pop-ups will need to be enabled in order to load a new tab, but this can be
circumvented by social engineering (i.e. a dialog box) or possibly by
more clever javascript insertion.


4. Impact

Exploiting this attack allows an adversary to inject most types of
Javascript into the page and in order to execute client-side attacks or
perform social engineering attacks.  These attacks can easily be manipulated
to compromise a target workstation.


5. Affected Products

Only version 4.0.7577.0 has been tested.  This vulnerability may exist in
other versions.


6. Solution

According to Microsoft, the vulnerability can be resolved by updating with
the "update package for Lync Server 2010, Web Components Server: April 2011"
at http://support.microsoft.com/kb/2500441

7.  Timetable

2011-05-31  Advisory written and submitted to Microsoft
2011-05-31  Vendor confirms receipt of advisory
2011-06-10  Vendor confirms vulnerability, advises availability of patch
2011-06-10  Disclosure


8.  Reference

http://www.foofus.net/?p=363

9.  Credits

bede@...fus.net (Mark Lachniet)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ