lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 14 Sep 2011 09:41:56 +0300
From: "Irene Abezgauz" <irene@...kersec.com>
To: <bugtraq@...urityfocus.com>
Subject: Seeker Advisory Sep11: Insecure Redirect in Microsoft SharePoint Portal

Seeker Research Center Security Advisory 

This vulnerability was discovered by Seeker(r) Automatic Run-Time
Application Security Testing Solution 
Disclosed By Irene Abezgauz, September 13th, 2011

=========
I. Overview
=========
An Insecure Redirect vulnerability has been identified in Microsoft
SharePoint shared infrastructure. This vulnerability allows an attacker
to craft links that contain redirects to malicious sites in the source
parameter used throughout SharePoint portal.

The exploitation technique detailed in this document bypasses the cross
application redirection restriction which normally limits such redirects
restricting access to external sites. 

A friendly formatted version of this advisory is available at:
http://www.seekersec.com/Advisories/SeekerAdvMS03.html 

=======
II. Details
=======
Multiple pages and components in Microsoft Sharepoint use the source
parameter to redirect users to a new location after accessing a certain
page, such as:
POST
/Docs/Lists/Announcements/NewForm.aspx?Source=http%3a%2f%2f127.0.0.1%2fD
ocs%2fdefault.aspx
In order to avoid cross application redirects (which pose a threat to
the system), Microsoft Sharepoint enforces checks on these redirects,
and limits them to localhost or 127.0.0.1, or the SharePoint server IP
(the IP redirect is only valid if the redirect is to an actual
SharePoint page on the server, redirects to localhost or 127.0.0.1 will
work regardless of existence of relevant page). 
The implementation of this verification, however, is flawed, and can be
circumvented by creating hostnames which begin with the string
localhost, or 127.0.0.1 even if they are not localhost.
Due to domain naming restrictions the 127.0.0.1 prefix cannot be used in
exploitation, as http://127.0.0.1.seekersec.com is not a valid domain
name - subdomain names cannot be digits only. However, redirects to
http://localhost.seekersec.com or http://localhostie.seekersec.com are
valid. The following prefixes can be provided into the Source parameter
to exploit this vulnerability: 
	localhostaaa, localhost.seekersec.com, etc. 
An attacker can generate an attack by creating a site containing
localhost in its name, and crafting a URL which embeds into the source
parameter a link that lead to sites outside the current application.
Once a victim follows the specially crafted link he indeed arrives at
the selected page of the vulnerable SharePoint application. Once the
page operation is completed, the user will be redirected to the URL in
the source parameter. 

========
III. Exploit
========
Sample exploitation of this vulnerability would be crafting the
following link: 
http://MySharePoint/Docs/Lists/Announcements/NewForm.aspx?Source=http%3a
%2f%2flocalhost.seekersec.com
It is important to note that in many situations, even if the application
does not use the source parameter by default, this parameter can be
added manually to the URL, leading to exploitation of this
vulnerability. 

================
IV. Affected Systems
================
Microsoft SharePoint 2007
Microsoft SharePoint 2010

========
V. Solution
========
Microsoft has released a fix for this vulnerability, see
http://technet.microsoft.com/security/bulletin/MS11-074 for further
information. 

=======
VI. Credit
=======
The vulnerability was automatically discovered by Seeker(r) - New
generation application security testing solution, utilizing ground
breaking BRITE(tm) technology (Behavioral Runtime Intelligent Testing
Engine).
Further research and publication was performed by Irene Abezgauz,
Product Manager, Seeker Security. 
For more information please visit www.seekersec.com

-----------------
Irene Abezgauz
Product Manager
Seeker Security
www.seekersec.com
 E-Mail:    irene@...kersec.com

Powered by blists - more mailing lists