[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Office 365 - Account Hijacking Cookie Re-Use Flaw, extended
From: <geryoei () oei-edv ! de>
Date: 2014-02-27 7:17:31
Message-ID: 95DF3E53-6A1B-47DE-AE75-E0B65FF6CA9D () oei-edv ! de
[Download RAW message or body]
Title:
Office 365 - Account Hijacking Cookie Re-Use Flaw, extended
Vendor:
- Microsoft
Products affected:
- Office 365 E3 package (version as of February 22nd, 2014)
- Sharepoint Online Services
Abstract:
The well-known account hijacking through cookie re-use flaw was originally reported \
in July 2013 by Prof. Sam Bowne and discussed in several forums: \
http://www.networkworld.com/community/blog/hijacking-office-365-and-other-major-services-cookie-re-use-flaw
http://thehackernews.com/2012/12/hotmail-and-outlook-cookie-handling.html
http://www.klocwork.com/blog/software-security/cookie-reuse-flaw-exposes-users-of-office-365-other-web-services/
As well as the original vulnerability hasn’t beed closed as of this report, there is \
another serious impact on defeating this vulnerability:
- Changing the password of the user will not invalidate the stolen cookie
- Blocking the account (user lockout) will not work as well
This allows an attacker to hijack the user account for at least 23 years until the \
account has been deleted completely.
Steps to reproduce:
* Pre-requisites:
- Office 365 account (E3 package with Sharepoint Services)
- As malicious system: Windows O/S Client and Interner Explorer 9 to 11 or Firefox \
25+ (Other OSes and Browsers not yet tested), cookies shall not be deleted upon \
closing the browser.
- only password authentication used (default)
* Preparation Steps:
1) The user logs on using an untrusted device (eg. Internet Café) to office365 via \
the official microsoft online portal login.onmicrosoft.com with the setting „keep me \
signed on“ 2) The user now navigates to his allowed team websites at sharepoint \
services eg. replacethiswithyourtestsite.onmicrosoft.com 3) The user now leaves the \
untrusted device by either shutting down the computer, closing the browser or just \
logging off only from the os, with a) not logging off from microsoft portal properly
b) and not cleaning his cookies
* Well-known first part - Cookie re-use flaw:
4) A malicious user (eve) can use the (confidential) sharepoint url simply by \
re-using the cookie. 5) From a valid Sharepoint Online Services access all other \
services can be accessed (OWA, Skydrive ,etcetera) whilst refreshing their credential \
cookies
* The flaw extension - can’t lockout the attacker:
6) If the user might be aware of its failure or a misuse is detected, the user might \
try to change its password or let the administrator reset the users password or 7) \
The administrator might decide to block the account from connecting using the OAC. 8) \
In both ways, the stolen cookie will still be accepted (see steps 4 to 5)
Vendor response:
- The issue has been reported to microsoft in several ways:
- Ticket 1235308167 (Microsoft support USA)
- Ticket 201402160322129434 (Microsoft Partner Support Germany)
- Ticket 114021011169872 (Microsoft Office Online User Support Germany)
- No solution offered so far, but issue was acknowledged by Microsoft Partner \
Support Germany
Workarounds:
- For forensic reasons it might be not recommended, but at this time I don’t see \
any other solution, the only way is to delete the attacked account \
completely.
- This way is congruent with the workaround Microsoft offers as solution in his \
online forum
O.E.I.-Beratung
Géry Oei
Tersteegenstr. 9
42579 Heiligenhaus
Germany
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic