Home page logo
/

bugtraq logo Bugtraq mailing list archives

Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab com>
Date: Fri, 13 Dec 2013 16:27:45 +0100

Document Title:
===============
Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=806

Microsoft Security Response Center (MSRC) ID: 14090
Microsoft Security Response Center (MSRC) Manager: Brandon


Release Date:
=============
2013-12-13


Vulnerability Laboratory ID (VL-ID):
====================================
806


Common Vulnerability Scoring System:
====================================
3.7


Product & Service Introduction:
===============================
Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services 
strategy.
Microsoft Online Services are hosted by Microsoft and sold with Microsoft partners. The suite includes Exchange Online, 
SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For 
businesses, 
the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through 
on-premises 
servers, as online services, or a combination of both, depending on specific business requirements. Services also 
provide the 
option to add complementary capabilities that enhance on-premises server software and simplify system management and 
maintenance.

( Copy of the Homepage: https://microsoftonline.com   &  https://microsoft.com )

Office 365 is a subscription-based online office and software plus services suite which offers access to various 
services 
and software built around the Microsoft Office platform. Serving as a successor to Microsoft`s Business Productivity 
Online 
Suite, the service was originally designed to provide hosted e-mail, social networking and collaboration, and cloud 
storage 
to teams and businesses. As such, it first included hosted versions of Exchange, Lync, SharePoint, Office Web Apps, 
along 
with access to the Microsoft Office 2010 desktop applications on the Enterprise plan. With the release of Office 2013, 
Office 365 expanded to include new plans aimed at different types of businesses, along with new plans aimed at general 
consumers wanting to use the Office desktop software on a subscription basis.After a beta testing process which began 
in 
October 2010, Office 365 was officially launched on June 28, 2011.

(Copy of the Homepage: http://office.microsoft.com/en-us/  &   http://en.wikipedia.org/wiki/Microsoft_Office_365)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent encoding web vulnerability in the official Microsoft 
Online Service (core) web-application.


Vulnerability Disclosure Timeline:
==================================
2013-02-03: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-02-06: Vendor Notification (MSRC- Security Response Center Team)
2013-12-11: Vendor Response/Feedback (MSRC- Security Response Center Team)
2013-12-11: Vendor Fix/Patch (Microsoft Developer Team - Case Manager: Brandon)
2013-12-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corporation
Product: MS Online Service 2012 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple persistent input validation encoding web vulnerabilities are detected in the official microsoft cloud core 
online service portal.
The persistent encoding vulnerability of the microsoft online web server is located in the company and name profile 
details.

The microsoft online web server does not encode the outgoing (dbms saved) details or values of the registered microsoft 
service 
user profiles. The vulnerability is located in the user profile input values `Name`, `Surname` and `Organization Name`. 

The bug can be exploited by the inject of own malicious script code as name, surname and organisation name. After the 
inject the 
own malicious script code will be saved in the microsoft dbms with the wrong encoded values. The server is sending 
different user 
notification mails by usage of the stored (manipulated) database values. The request method to inject is POST and the 
attack vector 
is persistent. The manipulated values in the database are the reason for the persistent script code execute. In the 
outgoing emails 
are by the original microsoft online-service mail or the office mail server.

The following registration services are marked as vulnerable ... `register an account (microsoft.com)`, `license 
account (microsoft.com)` 
or the `demo trail account` for the new Office-360°. Because of the problem turns into a persistent weakness in several 
microsoft services 
the issue has been marked as medium(+) with a cvss (common vulnerability scoring system) score of 3.7(+). 

Exploitation of the persistent remote vulnerabilities in the outgoing mail encoding requires a low privileged 
web-application user 
account and low user interaction. Succsessful exploitation of the vulnerability results in persistent session hijacking 
(not expired 
sesssion), persistent phishing via the original microsoft email service and persistent manipulation of email service 
and connected.

Vulnerable Service(s):
                                [+] Microsoft Online Service

Vulnerable Input Module(s):
                                [+] Registration Formular Account (licenses)
                                [+] Registration Formular Trail
                                [+] Sharepoint - Steps 1-4 & Changes
                                [+] Dynamic CRM - Sign In
                                [+] Start using your Office 365 trial today - Invitation to use Office 365


Vulnerable Parameter(s):
                                [+] Name der Organisation (Name of Organisation) - Companyname
                                [+] Name
                                [+] Surname


Affected Module(s):
                                [+] Microsoft Online Service - Mail Notification


Affected Service Function(s):
                                [+] Microsoft Online Service Mail Notification - MS Online
                                [+] Microsoft Online Service Mail Notification - Office 365
                                [+] Microsoft Online Service Mail Notification - Sharepoint Online
                                [+] Microsoft Online Service Mail Notification - Dynamic CRM Online
                                [+] Microsoft Online Service Mail Notification - Lync


Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with or without web-application user account and 
with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

1.1
PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht.

<tr>
<td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;">
<p style="margin:0px 0px 12px 0px;">
<strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br />
<strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p>
<p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p>
<p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p>
</td></tr>

URL(s): 
Registration Account Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Registration Trail Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Original Service URL(s):
https://portal.microsoftonline.com/Signup/MainSignUp.aspx

Available and Tested Sender eMail(s):
reply-fec915767460037e-99_HTML-76251279-1014838-1 () email microsoftonline com
Office365 () microsoftonline com
email.microsoftonline.com

Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/



1.2
PoC: Dynamic CRM - Sign In - Notification Mail

<tbody><tr>
<td style="padding-top:10px; font-family:'Segoe UI', Segoe, Tahoma, sans-serif; font-size:10pt; line-height:15px; 
color:#000000;"><strong>Name:</strong> %20%20%20%20"><[PERSISTENT SCRIPT CODE EXECUTION!]") <</td>

... or

<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 
0px;"><strong>Organization Name:</strong><br /><[PERSISTENT SCRIPT CODE EXECUTION!]") <</p>



PoC: Sharepoint - Steps 1-4 & Changes - Notification Mail

<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" 
width="720">
<tbody><tr>
<td width="20"></td>
<td style="padding-bottom:15px;">
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" 
width="680">
<tbody><tr>
<td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT SCRIPT CODE EXECUTION!]") <,</td></tr>


Available and Tested Sender eMail(s):
msonlineservicesteam () microsoftonline com
reply-fec2157471620d78-108_HTML-177022632-1014838-17720 () email microsoftonline com
Office365 () microsoftonline com
reply-fecc15767765037f-99_HTML-76251279-1014838-1 () email microsoftonline com
reply-fecc15747163047e-108_HTML-180111840-1014838-40194 () email microsoftonline com
reply-fecc15747163047e-108_HTML-180111840-1014838-40194 () email microsoftonline com
BOSreply () microsoft com

Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/


Note: The vulnerability does not only affect the notification service it also works with the license registration, 
update notification mails and notification mails for dbms context changes.


1.3
PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht.

<tr>
<td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;">
<p style="margin:0px 0px 12px 0px;">
<strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br />
<strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p>
<p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p>
<p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p>
</td></tr>

URL(s): 
Registration Account Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Registration Trail Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Original Service URL(s):
https://portal.microsoftonline.com/Signup/MainSignUp.aspx

Available and Tested Sender eMail(s):
reply-fecf15747162057d-108_HTML-176041426-1014838-41895 () email microsoftonline com
msonlineservicesteam () microsoftonline com
support () microsoft com
email.microsoftonline.com

Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/



1.4
PoC: Your Microsoft Office 365 Trial (Plan E3) is about to expire – buy today!

<table width="206" height="374" align="center" cellpadding="0" cellspacing="0" border="0"> 
<tr>
<td width="206" valign="top" style="font-family:'Segoe UI',Tahoma,sans-serif; font-size:10pt; line-height:13pt; 
color:#000;"> 
<table width="206" cellpadding="0" cellspacing="0" border="0" style="border:1px solid #fff; background:#fff;">
<tr>
<td style="padding:6px; background:#072B60;">
<p style="font-family:SegoeUI, Tahoma, sans-serif; font-size:11pt; color:#fff; margin:0px;">Account Information</p>
</td>
</tr>
<tr>
<td style="padding:10px;font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60;">
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 
0px;"><strong>Organization name</strong><br />
<[PERSISTENT INJECTED SCRIPT CODE!]") <</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 
0px;"><strong>Service</strong><br />
Microsoft Office 365 Trial (Plan E3)</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 
0px;"><strong>Trial start date</strong><br />
2012-12-31</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 0px 
0px;"><strong>Trial end date</strong><br />
2013-01-30</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">...........................</p>
</td>
</tr>
</table>


1.5
PoC: Tag 2 - Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online

<tr><td width="28"><img src="http://image.offers.crmlive.com/lib/fefc1270736601/i/1/5d9c825e-3.gif"; alt="Spacer" 
border="0" height="1" width="28">
</td><td width="400">
<span style="font-family: 'Segoe UI', Verdana, sans-serif; font-size:27px; color:#112e58; line-height:normal;">
Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online</span>
<br>
<br>
<strong>Name der Organisation: <[PERSISTENT INJECTED SCRIPT CODE!]") <</strong>                                         
<br>
<br>Vielen Dank für Ihr Interesse an Microsoft Dynamics CRM Online


1.6
PoC: Lync > Connect with next-generation online meetings

<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" 
width="720">
<tbody><tr>
<td width="20"></td>
<td style="padding-bottom:15px;">
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" 
width="680">
<tbody><tr>
<td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT INJECTED SCRIPT CODE!]") <,</td>
</tr>


Solution - Fix & Patch:
=======================
The vulnerabilities can be patched by a restriction, parse or encode of the input vulnerable `name of 
organization`,`name` and `surname` input fields.
Encode the input and of course do not forget the ensure the outgoing stored db context values are filtered. 

1. Solution - Parse each input and encode all outgoing values separatly
... or
2. Implement a filter or proxy with exception-handling to prevent script code executes.
Note: This solution does not patch the fail it only filters the context and replace the wrong encoded information.


Solution by Microsoft:
Microsoft implemented a cloud email proxy service to filter wrong encoded database values in the outgoing mail servics 
of microsoft after 
the incident with vulnerabilities in the outgoing service and office emails has been reported by Benjamin. 
The email proxy filters all the malicious injected tags, script codes or payload with a filter mechanism and internal 
exception-handling to 
prevent the persistent manipulation of original web-server emails.


Security Risk:
==============
The security risk of the (application-side) persistent mail encoding web vulnerabilities are estimated as medium(+).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com            - admin () evolution-sec 
com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - 
magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or research () vulnerability-lab com) to get a 
permission.

                                Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com



  By Date           By Thread  

Current thread:
  • Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities Vulnerability Lab (Dec 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault