what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Office 365 Enterprise E3 Insufficient Session Expiration

Microsoft Office 365 Enterprise E3 Insufficient Session Expiration
Posted Jul 7, 2017
Authored by Micha Borrmann | Site syss.de

Microsoft Office 365 Enterprise E3 suffers from an insufficient session expiration vulnerability.

tags | exploit
SHA-256 | 71b7c538dc235667bda1e21c050149a2a4aa82d2b550a41e97c9f1758d8d7dbf

Microsoft Office 365 Enterprise E3 Insufficient Session Expiration

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2017-011
Product: Office 365 (Sharepoint)
Manufacturer: Microsoft
Affected Version(s): ?
Tested Version(s): Office 365 Enterprise E3 (version from February 2017)
Vulnerability Type: Insufficient Session Expiration (CWE-613)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2017-03-01
Solution Date:
Public Disclosure: 2017-07-04
CVE Reference: Not yet assigned
Authors of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Microsoft Office 365 Enterprise E3 is a software-as-a-service (SaaS)
product that provides access to different Microsoft productivity
software (see [1]).

Due to an error in the session management, it is possible to still use
Sharepoint after the user logged out via the provided logout function.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

SySS GmbH found out that the application is not properly invalidating
the used session cookies rtFa and FedAuth when the provided logout
function is used.

If an attacker can gain access to these two session cookies of an
authenticated user, he can still use Sharepoint in Office 365, even if
the user logged out via the logout function, the user was disabled in
the Azure AD and the license to use Office 365 was revoked for this
user, too.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The described security issue concerning the session management of
Microsoft Office 365 Enterprise E3 could be successfully demonstrated
via an interception proxy like Burp Suite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The SySS GmbH found out, that deletion of the user within Azure AD
make it impossible for the user to use Office 365 anymore.
However, this is a work around and not a rock solid solution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2017-02-20: Detection of the vulnerability
2017-03-01: Vulnerability reported to manufacturer
2017-03-02: A ticket number for the reported case was assigned by Microsoft
2017-03-15: Microsoft informed the SySS Gmbh that the investigation of the issue is in process;
they asked for additional information about the described vulnerability
2017-03-16: SySS GmbH sent more details about the detection of the vulnerability to Microsoft
2017-03-29: Microsoft ask the SySS GmbH to confirm the vulnerability and "We request you to not
publish any details until we confirm the resolution of this case." (last response from Microsoft)
2017-03-31: The environment wich was used during detecting the issue was not available anymore
for the SySS GmbH; the administrator if it informed the SySS GmbH, that a new function
"enforce logout of all users" are existing now; SySS GmbH informs Microsoft about this fact
2017-05-08: SySS GmbH asks Microsoft about the status of the reported issue
2017-06-12: SySS GmbH asks Microsoft about the status of the reported issue, if there will be no response,
the issue will be released after June 23, 2017
2017-07-04: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Product web site for Microsoft Office 365 Enterprise E3
https://products.office.com/en-us/business/office-365-enterprise-e3-business-software
[2] SySS Security Advisory SYSS-2017-011
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-011.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAllfU+4ACgkQ7b4m5xTq
WHZM+A//R+Bb5Y9d6m8XSVz6XZbd0usF2tskJAv4S+KIgwsAFtkgnA+xBOgHIlpx
KIy7kJDG5EnlB97fC3uYKAIrSFCFrG/rpe3vOVNtSpWC+sjN6tSmXff3gsLg+8uH
niK3Mm8qhH/dvAmvfo6l9GEBSrgQ3+1oO9ZHxZbtEHZ5avV0uwuXIlGwUFnfhO27
0AGzkcsPNji4DNKnuEhc6YiuO+ydX2V8D6Rhc8A0ToInfjCpDJGfHvPcq4tzCjj1
L9eVY2f93Ijmh5i9fRydVO/v+8Uj4jCJtM4Kg1MnPPsi9Q+wE9Y2UkI21isII/sM
cNNQhyBloE3nK9TlhgCr2gNGFHlp5G/Wjvd3C8xFGW/UUxzz2QMiZ98e5F95HC+x
Zf5ZWBaP8ofa5o+HZTLibjZ8SowqcBcdQPHsS3d9viQ9fiDEOJpZtv68d1DB8Uen
Pm/Gvr8O7Cqe9V/f3JhjV1KdLU2VnKKnb8vg1bvMimH316IgwzoLNJ9yqealFsLp
5ILOoU+abKwqcM1chTV/Q48RkRdFVZjyojq4aNK1OVorqEA6EamvPeaGwhngvIyh
e6Gmm8prd/b1Wu/oTTzMe2twPDMs/BsVOq0tkQ63IQ82wGTBjCdKakD3RzPfmp72
PL1OlAU37hsuvV4O5r4ShNsT9/W8t5WzlH+pYQj3ZSoGV5KgetM=
=hwfs
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close