[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] SharePoint Site User Enumeration
From: pzpcve180528 () wolke7 ! net
Date: 2018-05-28 17:46:46
Message-ID: trinity-2b2b4ef2-7011-4d76-b683-6ea3343a7b67-1527529606725 () 3c-app-gmx-bs05
[Download RAW message or body]
[Attachment #2 (text/html)]
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div \
style="font-family: Verdana;font-size: 12.0px;"> <div style="font-family: Verdana;font-size: \
12.0px;"> <div>
<div style="border-bottom: solid rgb(237,125,49) 1.0pt;padding: 0.0in 0.0in 2.0pt 0.0in;">
<h1>Office 365 Security</h1>
<h1>SharePoint Site User Enumeration</h1>
</div>
<h2>Category</h2>
<p>Insecure direct object reference</p>
<p> </p>
<h2>Synopsis</h2>
<p><a href="https://products.office.com/en-us/sharepoint/collaboration" \
target="_blank">SharePoint</a> is a web-based, collaborative platform that integrates with \
Microsoft Office. Among other features, it allows corporate users to share content with third \
parties, either via third-party invites or anonymous links.</p>
<p>SharePoint allows such third parties to list usernames associated with a particular site \
collection. This broad enumeration is possible even if the attacker is allowed to access only \
very limited site content, such as a single document.</p>
<p>In the extreme the attacker can acquire list of all customer internal users and their \
SharePoint partners, which would facilitate both customer-wide and targeted phishing and other \
social-engineering attacks, impersonating either the corporate customer or one of the \
partners.</p>
<p>Such disclosure can also represent legal exposure and business confidentiality risks for \
SharePoint customers.</p>
<p> </p>
<h2>Technical Details</h2>
<p>By design SharePoint provides functionality to access user information associated with \
content published on a site. However, this feature appears to be intended solely for regular \
corporate users of the site, not for third-party guests with limited access.</p>
<p>The initial HTTP request is:</p>
<p class="Technical" style="margin-left: 40.0px;"><a \
href="https://somecustomer.sharepoint.com/sites/somesite/_layouts/15/userdisp.aspx?ID=ParamA" \
target="_blank">https://somecustomer.sharepoint.com/sites/somesite/_layouts/15/userdisp.aspx?ID=ParamA</a></p>
<p>where ParamA is some integer value. The request results in a 302 redirect to another \
customer’s site:</p>
<p class="Technical" style="margin-left: 40.0px;"><a \
href="https://somecustomer-my.sharepoint.com/Person.aspx?accountname=ParamB" \
target="_blank">https://somecustomer-my.sharepoint.com/Person.aspx?accountname=ParamB</a></p>
<p>where ParamB is a result of resolving a site collection-specific ordinal value of ParamA to \
a structured string that includes the corresponding username:</p>
<p class="Technical" style="margin-left: \
40.0px;">i:0#.f|membership|someuser@somedomain.com</p>
<p>Following this first HTTP redirection results in another 302 redirect to authenticate the \
user:</p>
<p class="Technical" style="margin-left: 40.0px;"><a \
href="https://somecustomer-my.sharepoint.com/_layouts/15/Authenticate.aspx?Source=ParamC" \
target="_blank">https://somecustomer-my.sharepoint.com/_layouts/15/Authenticate.aspx?Source=ParamC</a></p>
<p>where ParamC is the original URL of the second request.</p>
<p>The core weakness in the flow is that this user information retrieval sequence is \
intercepted on the second request while the first request succeeds as long as it includes \
cookies acquired through exercising third-party access to some content in the given site \
collection. Even an anonymous, view-only link to a single shared file suffices.</p>
<p>In other words, the resolution of simple ordinals (ParamA) to actual identities (ParamB) \
happens prematurely, before the security access controls divert the redirection chain of HTTP \
requests.</p>
<p>Submitting the first request without any cookies or with cookies pertinent to unrelated \
SharePoint customer will result in immediate authentication interception so result of the \
username resolution is not revealed.</p>
<p> </p>
<h2>Exploitation</h2>
<p>This weakness is exploitable as a classic insecure direct object reference. An attacker \
first accesses some shared content and preserves acquired cookies. He then uses the cookies to \
submit a series of requests for userdisp.aspx, iterating through integer values of ParamA, \
either randomly or sequentially, and harvesting resolved usernames.</p>
<p>Valid ordinals in ParamA appear to be assigned sequentially, starting with single digits, so \
the parameter space exhibits minimal entropy, enabling the enumeration to be highly efficient. \
The attack can be also parallelized because the submitted requests are independent of each \
other. (As an example, there is no sequential per-request CSRF token.)</p>
<p>No volume throttling or other mitigations have been observed.</p>
<p> </p>
<h2>Microsoft Response</h2>
<p>Sharing a SharePoint document link with a third party "<em>implies a certain degree of \
trust, the product team will not be modifying the current behavior in a security update, as \
this behavior is considered "by-design</em>".</p>
<p> </p>
<h2>Timeline</h2>
<p class="Timeline">February 5, \
2018 \
Issue identified and documented</p>
<p class="Timeline">February 6, \
2018 \
Report submitted to Microsoft via secure@microsoft.com</p>
<p class="Timeline">February 7, \
2018 \
Report acknowledged by Microsoft, case number assigned</p>
<p class="Timeline">February 14, \
2018 First status \
update request sent to Microsoft. Microsoft advises that the "SLA" is March 23.</p>
<p class="Timeline">March 20, \
2018 \
Microsoft requested an HTTP trace</p>
<p class="Timeline">March 21, \
2018 \
Sanitized HTTP trace and evidence of successful enumeration attack provided to Microsoft</p>
<p class="Timeline">March 26, \
2018 \
Previously stated deadline expired without any communication. New status update request sent to \
Microsoft.</p>
<p class="Timeline">March 28, \
2018 \
Microsoft confirmed the issue and requested postponement of public disclosure.</p>
<p class="Timeline">April 13, \
2018 \
Status update request sent to Microsoft</p>
<p class="Timeline">April 17, \
2018 \
Microsoft sends a note about ongoing discussions how to best address the issue.</p>
<p class="Timeline">May 22, \
2018 \
Status update request sent to Microsoft</p>
<p class="Timeline">May 25, \
2018 \
Microsoft stated that this is a "by-design" behavior, not warranting further \
action.</p>
<p class="Timeline">May 28, \
2018 \
Public disclosure</p>
<p class="Timeline"> </p>
<h2>License</h2>
<p>This document is © 2018 pzpcve</p>
<p>The document content is licensed under a <a \
href="https://creativecommons.org/licenses/by/4.0/legalcode" target="_blank">Creative Commons \
Attribution 4.0 International license</a></p>
<p> </p>
</div>
<div> </div>
<div class="signature"> </div>
</div>
</div></div></body></html>
["SharepointUserEnumeration-180528-FullDisclosure.pdf" (application/pdf)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic