Hacktics Research Group Security Advisory
http://www.hacktics.com/#view=Resources%7CAdvisory

By Irene Abezgauz, Hacktics.
22-Feb-2010

===========
I. Overview
===========
During a penetration test performed by Hacktics' experts, a persistent
cross-site scripting vulnerability was identified in the SharePoint document
handling module. This vulnerability allows attackers to gain control over
valid user accounts, perform operations on their behalf, redirect them to
malicious sites, steal their credentials, and more. 

A friendly formatted version of this advisory, including a video
demonstrating step-by-step execution of the exploit, is available in: 
   http://www.hacktics.com/content/advisories/AdvMS20100222.html

===============
II. The Finding
===============
The document module of the SharePoint server allows attackers to inject
malicious scripts into dynamically generated web content through file
uploading. These scripts will be executed in the browser of any user viewing
the infected content (persistent cross site scripting).

Further research and correspondence with Microsoft Security Response Center
has identified that a partial mention of this vulnerability appears in
CVE-2008-5026. However, as this is only partial, there is no bugtraq record
for this vulnerability and there is no fix (making it still valid on most
SharePoint deployments), we have decided to release this to the list. 

============
III. Details
============
The Documents module is vulnerable to persistent cross site scripting: 
   https://<mySharePointServer>/<id>/_layouts/Upload.aspx

An attacker can inject malicious scripts into a file and upload it. When any
user will access the uploaded file, it will be displayed directly on their
browser (rather than having the file downloaded to the computer), and the
malicious script will be executed in the context of the vulnerable
SharePoint site. 

This vulnerability can obviously be exploited with HTML files (as mentioned
in CVE-2008-5026), but can also be exploited with any other file type parsed
as HTML by the browser. In our testing we were able to reproduce this with
uploads of TXT files as well.

===========
IV. Exploit
===========
An attacker can embed a malicious script (for example -
<script>alert("XSS")</script> in a document uploaded to the SharePoint site.
When any other user (an administrative user or a regular user who views
documents in the system) opens the file - the malicious script will be
executed on their browser. 

==================
V. Vendor Response
==================
We have contacted the Microsoft Security Response Team on 13-Dec-2009.
Microsoft response to the point was that this is a known issue, and is
considered a low impact vulnerability by Microsoft for the following
reasons:

1. Authentication and the ability to write to the SharePoint site are
required to exploit this scenario.
2. Significant workarounds exist that allow SharePoint server configurations
to be isolated from cross domain exploitation.
3. SharePoint administrators can restrict the uploading of files to
SharePoint servers.

Hacktics' research team has reviewed this response and has certain
reservations with this response. Having users authenticate and upload
documents is the inherent functionality of SharePoint. Many organizations
have implemented complex environments on top of this functionality, with
need for strict authorization separation which is easily circumvented using
this exploit.

Moreover, although the proposed workaround does indeed reduce the risk of
this vulnerability, it requires a rather complex configuration to setup and
maintain, especially with internet-facing environments. Such a solution may
not be easily adopted by most SharePoint administrators. 

Finally, restriction of uploading files may indeed provide a solution, but
may very well not be acceptable by the system's users.

It is important to note that despite this response, Microsoft has fixed this
problem entirely in SharePoint 2010. 

=======================
VI. Solution/Workaround
=======================
There is currently no fix to the problem and Microsoft has no plan of
releasing one for SharePoint 2007. Once SharePoint 2010 is officially
released this could be resolved by upgrading to SharePoint 2010.

Nonetheless, in case this poses a security risk, a suggested workaround is
proposed by Microsoft, to build the SharePoint site with separate host name
for each collection, as described in:
   http://technet.microsoft.com/en-us/library/cc262778.aspx#section6

As already mentioned, this may involve complex configuration and
maintenance, and does not provide a full solution to the risk. It is
therefore recommended that uploading of HTML files, as well as any text type
files will be disabled in the SharePoint configuration. 

=====================
VII. Affected Systems
=====================
Microsoft Office SharePoint Server 2007.

============
VIII. Credit
============
The vulnerability was discovered by Irene Abezgauz, Hacktics Ltd.


---
Ofer Maor
CTO, Hacktics
Chairman, OWASP Israel

Web: www.hacktics.com