Document Title: =============== Microsoft Outlook 365 - Arbitrary File Upload Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1513 Release Date: ============= 2018-08-08 Vulnerability Laboratory ID (VL-ID): ==================================== 1514 Common Vulnerability Scoring System: ==================================== 6.1 Vulnerability Class: ==================== Arbitrary File Upload Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy. Microsoft Online Services are hosted by Microsoft and sold `with` Microsoft partners. The suite includes Exchange Online, SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance. Outlook.com is a free web-based email service run by Microsoft. One of the world's first webmail services, it was founded in 1996 as Hotmail (stylized as HoTMaiL) by Sabeer Bhatia and Jack Smith in Mountain View, California, and headquartered in Sunnyvale. Hotmail was acquired by Microsoft in 1997 for an estimated $400 million and launched as MSN Hotmail, later rebranded to Windows Live Hotmail as part of the Windows Live suite of products. The last version of Hotmail was released in October 2011.[As of mid-2011, Hotmail had 360 million users per month. It was available in 36 languages. In 2013, Hotmail was replaced with Outlook.com, which features Microsoft's Metro design language, and closely mimics the interface of Microsoft Outlook. It also features unlimited storage, Ajax, and integration with Calendar, OneDrive, People and Skype (Copy of the Vendor Homepage: https://microsoftonline.com ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a remote file upload web vulnerability and filter bypass in the Microsoft Outlook (365) web-application. Vulnerability Disclosure Timeline: ================================== 2018-08-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Microsoft Corp. Product: Microsoft Outlook - Web Application 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Bug Bounty Program Technical Details & Description: ================================ A file include web vulnerability and filter bypass has been discovered in the official Microsoft Outlook online service web-application. The security vulnerability allows remote attackers to manipulate web context by an inject through an unauthorized uploaded file. The vulnerability is located in the `upload file` POST method request of the `https://dub114.afx.ms` outlook web-server. Remote attacker are able to include local files that are accepted by the service validation to trick the web-server by executing the file. The issue demonstrates a broken validation mechanism to bypass the filter and execute malicious files within the microsoft outlook web context. The issue is exploitable by attackers with low privilege application user account without user interaction. When the attacker sends the file to a victim like shown in the video. Click to the picture aaa.svg that will popup to the file (attachment poc) so the file which i want the victim to execute will redirect to it with popup in the file but the file will upload to the microsoft server. The security risk of the file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the file include web vulnerability requires a low privilege web application user account and without user interaction. Successful exploitation of the vulnerability results in unauthorized upload of executable files through the outlook application context. Affected Request Method(s): [+] POST Vulnerable Module(s): [+] upload file Affected Domain(s): [+] dub114.afx.ms - Outlook Proof of Concept (PoC): ======================= The remote session manipulation web vulnerability can be exploited by remote attackers with low privilege web-application user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: https://dub114.afx.ms/att/GetInline.aspx?messageid=af737cb4-0e9e-11e5-928d-6c3be5a7dbbc&attindex=1&cp= -1&attdepth=1&imgsrc=cid%3apart25.09020904.07080207%40hotmail.fr&cid=ef89971b56dbc923&shared=1&hm__login=pentest317 &hm__domain=hotmail.fr&ip=10.211.36.8&d=d4659&mf=0&hm__ts=Tue%2c%2009%20Jun%202015%2011%3a57%3a45%20GMT&st=pentest317%25hotmail.fr %407&hm__ha=01_e344e373c0e1339b49871c316909fcf000ea147583cce52bfb908f73c2a5e611&oneredir=1 https://dub114.afx.ms/att/GetInline.aspx?messageid=888b4109-0e95-11e5-a69c-00215ad7b3ca&attindex=1&cp= -1&attdepth=1&imgsrc=cid%3apart25.08010206.06090907%40hotmail.fr&cid=ef89971b56dbc923&shared=1&hm__login=pentest317& hm__domain=hotmail.fr&ip=10.211.36.8&d=d4659&mf=0&hm__ts=Tue%2c%2009%20Jun%202015%2011%3a12%3a26%20GMT&st=pentest317%25hotmail.fr %407&hm__ha=01_66499fb343d6179fbc5dbd993b5faedaa551d3f4be2c56618cf88908af12ead0&oneredir=1 ab.xml ]> &sayhello; --- PoC Session Logs [Header] --- Message-ID: Date: Tue, 09 Jun 2016 16:03:59 +0100 From: hadji samir User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: xxxxxxx Subject: Re: test References: <5576D43B.2050601@hotmail.fr> In-Reply-To: Content-Type: multipart/alternative; boundary="------------060504070803040305080403" This is a multi-part message in MIME format. --------------060504070803040305080403 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit ss --------------060504070803040305080403 Content-Type: multipart/related; boundary="------------080505070300080303010609" --------------080505070300080303010609 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit ss References: ../aaa.svg ../ab.xml ../login.htm ../nsemail.eml ../poc-video.ogv Reference(s): https://dub114.afx.ms https://login.live.com/ https://login.live.com/login.srf https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=&ct=&rver=&wp=MBI_SSL_SHARED&wreply=&lc=&id=&mkt=de-DE&cbcxt=mai Solution - Fix & Patch: ======================= Disallow to upload the file to microsoft servers. Restrict the upload and disallow external sources. Note: The issue has been reported in 2016 Q4 and was resolved by the microsoft developer team during 2017 Q2 - Q4. The disclosure process of the vulnerability report took about 12 month. Security Risk: ============== The security risk of the arbitrary file upload web vulnerability in the microsoft outlook application is estimated as high. Credits & Authors: ================== Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™