Document Title: =============== Adobe Marketing Cloud - Bypass & Persistent Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=1939 Release Date: ============= 2016-11-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1939 Common Vulnerability Scoring System: ==================================== 4.2 Product & Service Introduction: =============================== Adobe Marketing Cloud is currently the most comprehensive suite of marketing solutions on the market. It includes everything needed by marketers to gain insights into the behavior of customers, create personalized campaigns and manage content and assets. (Copy of the Homepage: http://www.adobe.com/de/marketing-cloud.html ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a filter bypass issue and persistent vulnerability in the Adobe Demand online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-09-02: Vendor Notification (PSIRT Adobe Security Team) 2016-10-02: Vendor Response/Feedback (PSIRT Adobe Security Team) 2016-10-20: Vendor Fix/Patch (Adobe Service Developer Team) 2016-11-01: Security Acknowledgements (Adobe Security Team) 2016-11-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Adobe Systems Product: Adobe - Request Consultation Formulars (Web-Application) 2016 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side input validation vulnerability and filter bypass issue has been discovered in the Adobe MarketingCloud online service web-application. The application-side vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable function or module. The persistent web vulnerability is located in the `firstname` and `lastname` parameters of the `marketing-cloud.html` file POST method request. Remote attackers are able to perform malicious POST method requests on registration via formular to inject script code to adobe service emails. The service takes the data format of the registration to generate a html file for the user notify, which represents the execution point. The injection points are the both vulnerable input fields that are in use for the email values after the save to the dbms via POST method. The filter validation of the formular parses basic script tags but in case of an iframe with src to onload an alert the filter can bypassed. Exploitation of the persistent input validation web vulnerability requires no privileged web-application user account and only low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context. Request Method(s): Inject [+] POST Vulnerable Module(s): [+] ./products/request-consultation/ - Registration Form Vulnerable File(s): [+] marketing-cloud.html Vulnerable Parameter(s): [+] firstname [+] lastname Affected Module(s): [+] Email (Service & Information - Notify) Proof of Concept (PoC): ======================= The persistent vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the registration formular website 2. Choose MarketingCloud and insert random values 3. Inject to the firstname and lastname parameters your own malicoous test payload 4. Save the entry via submit for redirect to the thanks page 5. Preview the target inbox mail, were the execution occurs on mail preview next to the introduction word Dear [CUSTOMER FIRST- & LASTNAME] 6. Open in the mail the webpage link to stream the code inside the same origin policy url of adobe for further exploitation 7. Successful reproduce of the application-side input validation vulnerability! Note: The issue affects all service formulars, which are handled like the marketingcloud service via click! Vulnerable Input(s): Registration Formular http://www.adobe.com/de/products/request-consultation/marketing-cloud.html?s_osc=701a0000002I7h6AAC&s_iid=701a0000002I7DxAAK Sender(s): demand@adobe-info.com & info@adobe.com Vulnerable Output(s): http://t.info.adobesystems.com//r/?id=h7d91fb93,515043a8,515043c8&p1=%40gcO2qqquE1V0plhsJ7PB7vmEM3%2Bprx2dlibMUIlKP9I%3D http://m.adobe-info.com/nl/jsp/m.jsp?c=%40gcO2qqquE1V0plhsJ7PB7vmEM3%2Bprx2dlibMUIlKP9I%3D PoC: Vulnerable Source (Execution)  
Dear >"[PERSISTENT SCRIPT CODE EXECUTION VIA FIRST- & LAST-NAME]

Thank you for your interest in mobile app solutions from Adobe. Please join us for a webinar on September 15, 2016 at 10am PT (1pm ET) where we will discuss how mobile applications can delight your customers and make your business more efficient.

In this session, we will share how to avoid the costs and challenges of building and maintaining applications, as well as strategies for bringing the power of mobile apps to business owners to deliver real, tangible ROI. It's simply not enough to have an app. You need to have an app that provides business utility and is constantly updated with content and useful features.

We will share examples of how the most successful companies in the world, like VMWare, Under Armour, BNP Paribas, Black Diamond, and others, use Adobe Experience Manager Mobile to quickly and cost effectively deliver amazing mobile apps for their employees and customers.

And, finally, we will offer you an easy way to get started using the product to prove success.
Reference(s): http://t.info.adobesystems.com/ http://t.info.adobesystems.com//r/ http://m.adobe-info.com/ http://m.adobe-info.com/nl/ http://m.adobe-info.com/nl/jsp/ http://m.adobe-info.com/nl/jsp/m.jsp http://www.adobe.com/de/ http://www.adobe.com/de/products/ http://www.adobe.com/de/products/request-consultation/ http://www.adobe.com/de/products/request-consultation/thankyou.html Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable firstname and lastname input fields in the registration formulars. Parse in the marketing cloud service the outgoing emails with the vulnerable fitsname and lastname parameters. Disallow the usage of special chars and filter the input with a restriction to prevent futher script code injection attacks. Filter and parse already registered users to prevent the execution point. Encode the link and use an exception to deny script code inseration via html generated adobe website link. Security Risk: ============== The security risk of the persistent input validation vulnerability and filter bypass issue is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™