Bugtraq mailing list archives
Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Fri, 13 Dec 2013 16:27:45 +0100
Document Title: =============== Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=806 Microsoft Security Response Center (MSRC) ID: 14090 Microsoft Security Response Center (MSRC) Manager: Brandon Release Date: ============= 2013-12-13 Vulnerability Laboratory ID (VL-ID): ==================================== 806 Common Vulnerability Scoring System: ==================================== 3.7 Product & Service Introduction: =============================== Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy. Microsoft Online Services are hosted by Microsoft and sold with Microsoft partners. The suite includes Exchange Online, SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance. ( Copy of the Homepage: https://microsoftonline.com & https://microsoft.com ) Office 365 is a subscription-based online office and software plus services suite which offers access to various services and software built around the Microsoft Office platform. Serving as a successor to Microsoft`s Business Productivity Online Suite, the service was originally designed to provide hosted e-mail, social networking and collaboration, and cloud storage to teams and businesses. As such, it first included hosted versions of Exchange, Lync, SharePoint, Office Web Apps, along with access to the Microsoft Office 2010 desktop applications on the Enterprise plan. With the release of Office 2013, Office 365 expanded to include new plans aimed at different types of businesses, along with new plans aimed at general consumers wanting to use the Office desktop software on a subscription basis.After a beta testing process which began in October 2010, Office 365 was officially launched on June 28, 2011. (Copy of the Homepage: http://office.microsoft.com/en-us/ & http://en.wikipedia.org/wiki/Microsoft_Office_365) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent encoding web vulnerability in the official Microsoft Online Service (core) web-application. Vulnerability Disclosure Timeline: ================================== 2013-02-03: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2013-02-06: Vendor Notification (MSRC- Security Response Center Team) 2013-12-11: Vendor Response/Feedback (MSRC- Security Response Center Team) 2013-12-11: Vendor Fix/Patch (Microsoft Developer Team - Case Manager: Brandon) 2013-12-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Microsoft Corporation Product: MS Online Service 2012 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple persistent input validation encoding web vulnerabilities are detected in the official microsoft cloud core online service portal. The persistent encoding vulnerability of the microsoft online web server is located in the company and name profile details. The microsoft online web server does not encode the outgoing (dbms saved) details or values of the registered microsoft service user profiles. The vulnerability is located in the user profile input values `Name`, `Surname` and `Organization Name`. The bug can be exploited by the inject of own malicious script code as name, surname and organisation name. After the inject the own malicious script code will be saved in the microsoft dbms with the wrong encoded values. The server is sending different user notification mails by usage of the stored (manipulated) database values. The request method to inject is POST and the attack vector is persistent. The manipulated values in the database are the reason for the persistent script code execute. In the outgoing emails are by the original microsoft online-service mail or the office mail server. The following registration services are marked as vulnerable ... `register an account (microsoft.com)`, `license account (microsoft.com)` or the `demo trail account` for the new Office-360°. Because of the problem turns into a persistent weakness in several microsoft services the issue has been marked as medium(+) with a cvss (common vulnerability scoring system) score of 3.7(+). Exploitation of the persistent remote vulnerabilities in the outgoing mail encoding requires a low privileged web-application user account and low user interaction. Succsessful exploitation of the vulnerability results in persistent session hijacking (not expired sesssion), persistent phishing via the original microsoft email service and persistent manipulation of email service and connected. Vulnerable Service(s): [+] Microsoft Online Service Vulnerable Input Module(s): [+] Registration Formular Account (licenses) [+] Registration Formular Trail [+] Sharepoint - Steps 1-4 & Changes [+] Dynamic CRM - Sign In [+] Start using your Office 365 trial today - Invitation to use Office 365 Vulnerable Parameter(s): [+] Name der Organisation (Name of Organisation) - Companyname [+] Name [+] Surname Affected Module(s): [+] Microsoft Online Service - Mail Notification Affected Service Function(s): [+] Microsoft Online Service Mail Notification - MS Online [+] Microsoft Online Service Mail Notification - Office 365 [+] Microsoft Online Service Mail Notification - Sharepoint Online [+] Microsoft Online Service Mail Notification - Dynamic CRM Online [+] Microsoft Online Service Mail Notification - Lync Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with or without web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below. 1.1 PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht. <tr> <td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;"> <p style="margin:0px 0px 12px 0px;"> <strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br /> <strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p> <p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p> <p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p> <p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p> </td></tr> URL(s): Registration Account Formular https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid= AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1 Registration Trail Formular https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid= AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1 Original Service URL(s): https://portal.microsoftonline.com/Signup/MainSignUp.aspx Available and Tested Sender eMail(s): reply-fec915767460037e-99_HTML-76251279-1014838-1 () email microsoftonline com Office365 () microsoftonline com email.microsoftonline.com Reference(s): https://login.microsoftonline.com/ https://microsoftonline.com/ https://microsoft.com/ 1.2 PoC: Dynamic CRM - Sign In - Notification Mail <tbody><tr> <td style="padding-top:10px; font-family:'Segoe UI', Segoe, Tahoma, sans-serif; font-size:10pt; line-height:15px; color:#000000;"><strong>Name:</strong> %20%20%20%20"><[PERSISTENT SCRIPT CODE EXECUTION!]") <</td> ... or <p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Organization Name:</strong><br /><[PERSISTENT SCRIPT CODE EXECUTION!]") <</p> PoC: Sharepoint - Steps 1-4 & Changes - Notification Mail <table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="720"> <tbody><tr> <td width="20"></td> <td style="padding-bottom:15px;"> <table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="680"> <tbody><tr> <td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT SCRIPT CODE EXECUTION!]") <,</td></tr> Available and Tested Sender eMail(s): msonlineservicesteam () microsoftonline com reply-fec2157471620d78-108_HTML-177022632-1014838-17720 () email microsoftonline com Office365 () microsoftonline com reply-fecc15767765037f-99_HTML-76251279-1014838-1 () email microsoftonline com reply-fecc15747163047e-108_HTML-180111840-1014838-40194 () email microsoftonline com reply-fecc15747163047e-108_HTML-180111840-1014838-40194 () email microsoftonline com BOSreply () microsoft com Reference(s): https://login.microsoftonline.com/ https://microsoftonline.com/ https://microsoft.com/ Note: The vulnerability does not only affect the notification service it also works with the license registration, update notification mails and notification mails for dbms context changes. 1.3 PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht. <tr> <td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;"> <p style="margin:0px 0px 12px 0px;"> <strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br /> <strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p> <p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p> <p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p> <p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p> </td></tr> URL(s): Registration Account Formular https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid= AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1 Registration Trail Formular https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid= AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1 Original Service URL(s): https://portal.microsoftonline.com/Signup/MainSignUp.aspx Available and Tested Sender eMail(s): reply-fecf15747162057d-108_HTML-176041426-1014838-41895 () email microsoftonline com msonlineservicesteam () microsoftonline com support () microsoft com email.microsoftonline.com Reference(s): https://login.microsoftonline.com/ https://microsoftonline.com/ https://microsoft.com/ 1.4 PoC: Your Microsoft Office 365 Trial (Plan E3) is about to expire – buy today! <table width="206" height="374" align="center" cellpadding="0" cellspacing="0" border="0"> <tr> <td width="206" valign="top" style="font-family:'Segoe UI',Tahoma,sans-serif; font-size:10pt; line-height:13pt; color:#000;"> <table width="206" cellpadding="0" cellspacing="0" border="0" style="border:1px solid #fff; background:#fff;"> <tr> <td style="padding:6px; background:#072B60;"> <p style="font-family:SegoeUI, Tahoma, sans-serif; font-size:11pt; color:#fff; margin:0px;">Account Information</p> </td> </tr> <tr> <td style="padding:10px;font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60;"> <p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Organization name</strong><br /> <[PERSISTENT INJECTED SCRIPT CODE!]") <</p> <p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Service</strong><br /> Microsoft Office 365 Trial (Plan E3)</p> <p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Trial start date</strong><br /> 2012-12-31</p> <p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 0px 0px;"><strong>Trial end date</strong><br /> 2013-01-30</p> <p style="margin:0px 0px 0px 0px; letter-spacing:2px;">...........................</p> </td> </tr> </table> 1.5 PoC: Tag 2 - Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online <tr><td width="28"><img src="http://image.offers.crmlive.com/lib/fefc1270736601/i/1/5d9c825e-3.gif"; alt="Spacer" border="0" height="1" width="28"> </td><td width="400"> <span style="font-family: 'Segoe UI', Verdana, sans-serif; font-size:27px; color:#112e58; line-height:normal;"> Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online</span> <br> <br> <strong>Name der Organisation: <[PERSISTENT INJECTED SCRIPT CODE!]") <</strong> <br> <br>Vielen Dank für Ihr Interesse an Microsoft Dynamics CRM Online 1.6 PoC: Lync > Connect with next-generation online meetings <table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="720"> <tbody><tr> <td width="20"></td> <td style="padding-bottom:15px;"> <table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="680"> <tbody><tr> <td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT INJECTED SCRIPT CODE!]") <,</td> </tr> Solution - Fix & Patch: ======================= The vulnerabilities can be patched by a restriction, parse or encode of the input vulnerable `name of organization`,`name` and `surname` input fields. Encode the input and of course do not forget the ensure the outgoing stored db context values are filtered. 1. Solution - Parse each input and encode all outgoing values separatly ... or 2. Implement a filter or proxy with exception-handling to prevent script code executes. Note: This solution does not patch the fail it only filters the context and replace the wrong encoded information. Solution by Microsoft: Microsoft implemented a cloud email proxy service to filter wrong encoded database values in the outgoing mail servics of microsoft after the incident with vulnerabilities in the outgoing service and office emails has been reported by Benjamin. The email proxy filters all the malicious injected tags, script codes or payload with a filter mechanism and internal exception-handling to prevent the persistent manipulation of original web-server emails. Security Risk: ============== The security risk of the (application-side) persistent mail encoding web vulnerabilities are estimated as medium(+). Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research () vulnerability-lab com
![http://image.offers.crmlive.com/lib/fefc1270736601/i/1/5d9c825e-3.gif"](http://image.offers.crmlive.com/lib/fefc1270736601/i/1/5d9c825e-3.gif"){kind=link}
Current thread:
- Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities Vulnerability Lab (Dec 16)