lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <95DF3E53-6A1B-47DE-AE75-E0B65FF6CA9D@oei-edv.de>
Date: Thu, 27 Feb 2014 08:17:31 +0100
From: "Oei, Géry" <geryoei@...-edv.de>
To: bugtraq@...urityfocus.com
Subject: Office 365 - Account Hijacking Cookie Re-Use Flaw, extended 

Title:
	Office 365 - Account Hijacking Cookie Re-Use Flaw, extended 

Vendor:
 - Microsoft

Products affected:
 - Office 365 E3 package (version as of February 22nd, 2014)
 - Sharepoint Online Services

Abstract:
The well-known account hijacking through cookie re-use flaw was originally reported in July 2013 by Prof. Sam Bowne and discussed in several forums: 
 	http://www.networkworld.com/community/blog/hijacking-office-365-and-other-major-services-cookie-re-use-flaw
  	http://thehackernews.com/2012/12/hotmail-and-outlook-cookie-handling.html
  	http://www.klocwork.com/blog/software-security/cookie-reuse-flaw-exposes-users-of-office-365-other-web-services/
As well as the original vulnerability hasn’t beed closed as of this report, there is another serious impact on defeating this vulnerability:
 - Changing the password of the user will not invalidate the stolen cookie
 - Blocking the account (user lockout) will not work as well
This allows an attacker to hijack the user account for at least 23 years until the account has been deleted completely.

Steps to reproduce:
* Pre-requisites:
  - Office 365 account (E3 package with Sharepoint Services)
  - As malicious system: Windows O/S Client and Interner Explorer 9 to 11 or Firefox 25+ 
    (Other OSes and Browsers not yet tested), cookies shall not be deleted upon closing the browser. 
  - only password authentication used (default)

* Preparation Steps:
1) The user logs on using an untrusted device (eg. Internet Café) to office365 via the official microsoft online portal login.onmicrosoft.com with the setting „keep me signed on“
2) The user now navigates to his allowed team websites at sharepoint services eg. replacethiswithyourtestsite.onmicrosoft.com
3) The user now leaves the untrusted device by either shutting down the computer, closing the browser or  just logging off only from the os, with
	a) not logging off from microsoft portal properly
	b) and not cleaning his cookies

* Well-known first part - Cookie re-use flaw:
4) A malicious user (eve) can use the (confidential) sharepoint url simply by re-using the cookie.
5) From a valid Sharepoint Online Services access all other services can be accessed (OWA, Skydrive ,etcetera) whilst refreshing their credential cookies

* The flaw extension - can’t lockout the attacker:
6) If the user might be aware of its failure or a misuse is detected, the user might try to change its password or let the administrator reset the users password or
7) The administrator might decide to block the account from connecting using the OAC.
8) In both ways, the stolen cookie will still be accepted (see steps 4 to 5)

Vendor response:
 - The issue has been reported to microsoft in several ways: 
	- Ticket 1235308167 (Microsoft support USA) 
	- Ticket 201402160322129434 (Microsoft Partner Support Germany)
	- Ticket 114021011169872 (Microsoft Office Online User Support Germany)
 - No solution offered so far, but issue was acknowledged by Microsoft Partner Support Germany

Workarounds:
 - For forensic reasons it might be not recommended, but at this time I don’t  see any other solution, the only way is to delete the attacked account completely.
 - This way is congruent with the workaround Microsoft offers as solution in his online forum 

O.E.I.-Beratung
Géry Oei
Tersteegenstr. 9
42579 Heiligenhaus
Germany

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ