[<prev] [next>] [day] [month] [year] [list]
Message-ID: <52AB276A.9030901@vulnerability-lab.com>
Date: Fri, 13 Dec 2013 16:27:38 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Microsoft Online,
Office & Cloud - Persistent Encoding Vulnerabilities
Document Title:
===============
Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=806
Microsoft Security Response Center (MSRC) ID: 14090
Microsoft Security Response Center (MSRC) Manager: Brandon
Release Date:
=============
2013-12-13
Vulnerability Laboratory ID (VL-ID):
====================================
806
Common Vulnerability Scoring System:
====================================
3.7
Product & Service Introduction:
===============================
Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy.
Microsoft Online Services are hosted by Microsoft and sold with Microsoft partners. The suite includes Exchange Online,
SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses,
the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises
servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the
option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance.
( Copy of the Homepage: https://microsoftonline.com & https://microsoft.com )
Office 365 is a subscription-based online office and software plus services suite which offers access to various services
and software built around the Microsoft Office platform. Serving as a successor to Microsoft`s Business Productivity Online
Suite, the service was originally designed to provide hosted e-mail, social networking and collaboration, and cloud storage
to teams and businesses. As such, it first included hosted versions of Exchange, Lync, SharePoint, Office Web Apps, along
with access to the Microsoft Office 2010 desktop applications on the Enterprise plan. With the release of Office 2013,
Office 365 expanded to include new plans aimed at different types of businesses, along with new plans aimed at general
consumers wanting to use the Office desktop software on a subscription basis.After a beta testing process which began in
October 2010, Office 365 was officially launched on June 28, 2011.
(Copy of the Homepage: http://office.microsoft.com/en-us/ & http://en.wikipedia.org/wiki/Microsoft_Office_365)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent encoding web vulnerability in the official Microsoft Online Service (core) web-application.
Vulnerability Disclosure Timeline:
==================================
2013-02-03: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-02-06: Vendor Notification (MSRC- Security Response Center Team)
2013-12-11: Vendor Response/Feedback (MSRC- Security Response Center Team)
2013-12-11: Vendor Fix/Patch (Microsoft Developer Team - Case Manager: Brandon)
2013-12-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Microsoft Corporation
Product: MS Online Service 2012 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation encoding web vulnerabilities are detected in the official microsoft cloud core online service portal.
The persistent encoding vulnerability of the microsoft online web server is located in the company and name profile details.
The microsoft online web server does not encode the outgoing (dbms saved) details or values of the registered microsoft service
user profiles. The vulnerability is located in the user profile input values `Name`, `Surname` and `Organization Name`.
The bug can be exploited by the inject of own malicious script code as name, surname and organisation name. After the inject the
own malicious script code will be saved in the microsoft dbms with the wrong encoded values. The server is sending different user
notification mails by usage of the stored (manipulated) database values. The request method to inject is POST and the attack vector
is persistent. The manipulated values in the database are the reason for the persistent script code execute. In the outgoing emails
are by the original microsoft online-service mail or the office mail server.
The following registration services are marked as vulnerable ... `register an account (microsoft.com)`, `license account (microsoft.com)`
or the `demo trail account` for the new Office-360°. Because of the problem turns into a persistent weakness in several microsoft services
the issue has been marked as medium(+) with a cvss (common vulnerability scoring system) score of 3.7(+).
Exploitation of the persistent remote vulnerabilities in the outgoing mail encoding requires a low privileged web-application user
account and low user interaction. Succsessful exploitation of the vulnerability results in persistent session hijacking (not expired
sesssion), persistent phishing via the original microsoft email service and persistent manipulation of email service and connected.
Vulnerable Service(s):
[+] Microsoft Online Service
Vulnerable Input Module(s):
[+] Registration Formular Account (licenses)
[+] Registration Formular Trail
[+] Sharepoint - Steps 1-4 & Changes
[+] Dynamic CRM - Sign In
[+] Start using your Office 365 trial today - Invitation to use Office 365
Vulnerable Parameter(s):
[+] Name der Organisation (Name of Organisation) - Companyname
[+] Name
[+] Surname
Affected Module(s):
[+] Microsoft Online Service - Mail Notification
Affected Service Function(s):
[+] Microsoft Online Service Mail Notification - MS Online
[+] Microsoft Online Service Mail Notification - Office 365
[+] Microsoft Online Service Mail Notification - Sharepoint Online
[+] Microsoft Online Service Mail Notification - Dynamic CRM Online
[+] Microsoft Online Service Mail Notification - Lync
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with or without web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below.
1.1
PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht.
<tr>
<td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;">
<p style="margin:0px 0px 12px 0px;">
<strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br />
<strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p>
<p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p>
<p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p>
</td></tr>
URL(s):
Registration Account Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1
Registration Trail Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1
Original Service URL(s):
https://portal.microsoftonline.com/Signup/MainSignUp.aspx
Available and Tested Sender eMail(s):
reply-fec915767460037e-99_HTML-76251279-1014838-1@...il.microsoftonline.com
Office365@...rosoftonline.com
email.microsoftonline.com
Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/
1.2
PoC: Dynamic CRM - Sign In - Notification Mail
<tbody><tr>
<td style="padding-top:10px; font-family:'Segoe UI', Segoe, Tahoma, sans-serif; font-size:10pt; line-height:15px;
color:#000000;"><strong>Name:</strong> %20%20%20%20"><[PERSISTENT SCRIPT CODE EXECUTION!]") <</td>
... or
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px
0px;"><strong>Organization Name:</strong><br /><[PERSISTENT SCRIPT CODE EXECUTION!]") <</p>
PoC: Sharepoint - Steps 1-4 & Changes - Notification Mail
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="720">
<tbody><tr>
<td width="20"></td>
<td style="padding-bottom:15px;">
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="680">
<tbody><tr>
<td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT SCRIPT CODE EXECUTION!]") <,</td></tr>
Available and Tested Sender eMail(s):
msonlineservicesteam@...rosoftonline.com
reply-fec2157471620d78-108_HTML-177022632-1014838-17720@...il.microsoftonline.com
Office365@...rosoftonline.com
reply-fecc15767765037f-99_HTML-76251279-1014838-1@...il.microsoftonline.com
reply-fecc15747163047e-108_HTML-180111840-1014838-40194@...il.microsoftonline.com
reply-fecc15747163047e-108_HTML-180111840-1014838-40194@...il.microsoftonline.com
BOSreply@...rosoft.com
Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/
Note: The vulnerability does not only affect the notification service it also works with the license registration,
update notification mails and notification mails for dbms context changes.
1.3
PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht.
<tr>
<td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;">
<p style="margin:0px 0px 12px 0px;">
<strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br />
<strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p>
<p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p>
<p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p>
</td></tr>
URL(s):
Registration Account Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1
Registration Trail Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1
Original Service URL(s):
https://portal.microsoftonline.com/Signup/MainSignUp.aspx
Available and Tested Sender eMail(s):
reply-fecf15747162057d-108_HTML-176041426-1014838-41895@...il.microsoftonline.com
msonlineservicesteam@...rosoftonline.com
support@...rosoft.com
email.microsoftonline.com
Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/
1.4
PoC: Your Microsoft Office 365 Trial (Plan E3) is about to expire – buy today!
<table width="206" height="374" align="center" cellpadding="0" cellspacing="0" border="0">
<tr>
<td width="206" valign="top" style="font-family:'Segoe UI',Tahoma,sans-serif; font-size:10pt; line-height:13pt; color:#000;">
<table width="206" cellpadding="0" cellspacing="0" border="0" style="border:1px solid #fff; background:#fff;">
<tr>
<td style="padding:6px; background:#072B60;">
<p style="font-family:SegoeUI, Tahoma, sans-serif; font-size:11pt; color:#fff; margin:0px;">Account Information</p>
</td>
</tr>
<tr>
<td style="padding:10px;font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60;">
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Organization name</strong><br />
<[PERSISTENT INJECTED SCRIPT CODE!]") <</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Service</strong><br />
Microsoft Office 365 Trial (Plan E3)</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Trial start date</strong><br />
2012-12-31</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 0px 0px;"><strong>Trial end date</strong><br />
2013-01-30</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">...........................</p>
</td>
</tr>
</table>
1.5
PoC: Tag 2 - Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online
<tr><td width="28"><img src="http://image.offers.crmlive.com/lib/fefc1270736601/i/1/5d9c825e-3.gif" alt="Spacer" border="0" height="1" width="28">
</td><td width="400">
<span style="font-family: 'Segoe UI', Verdana, sans-serif; font-size:27px; color:#112e58; line-height:normal;">
Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online</span>
<br>
<br>
<strong>Name der Organisation: <[PERSISTENT INJECTED SCRIPT CODE!]") <</strong>
<br>
<br>Vielen Dank für Ihr Interesse an Microsoft Dynamics CRM Online
1.6
PoC: Lync > Connect with next-generation online meetings
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="720">
<tbody><tr>
<td width="20"></td>
<td style="padding-bottom:15px;">
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="680">
<tbody><tr>
<td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT INJECTED SCRIPT CODE!]") <,</td>
</tr>
Solution - Fix & Patch:
=======================
The vulnerabilities can be patched by a restriction, parse or encode of the input vulnerable `name of organization`,`name` and `surname` input fields.
Encode the input and of course do not forget the ensure the outgoing stored db context values are filtered.
1. Solution - Parse each input and encode all outgoing values separatly
... or
2. Implement a filter or proxy with exception-handling to prevent script code executes.
Note: This solution does not patch the fail it only filters the context and replace the wrong encoded information.
Solution by Microsoft:
Microsoft implemented a cloud email proxy service to filter wrong encoded database values in the outgoing mail servics of microsoft after
the incident with vulnerabilities in the outgoing service and office emails has been reported by Benjamin.
The email proxy filters all the malicious injected tags, script codes or payload with a filter mechanism and internal exception-handling to
prevent the persistent manipulation of original web-server emails.
Security Risk:
==============
The security risk of the (application-side) persistent mail encoding web vulnerabilities are estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@...lution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@...nerability-lab.com - research@...nerability-lab.com - admin@...lution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@...nerability-lab.com or research@...nerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@...nerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists