Document Title:
===============
Microsoft Online, Office & Cloud - Persistent Encoding Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=806

Microsoft Security Response Center (MSRC) ID: 14090
Microsoft Security Response Center (MSRC) Manager: Brandon


Release Date:
=============
2013-12-13


Vulnerability Laboratory ID (VL-ID):
====================================
806


Common Vulnerability Scoring System:
====================================
3.7


Product & Service Introduction:
===============================
Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy.
Microsoft Online Services are hosted by Microsoft and sold with Microsoft partners. The suite includes Exchange Online, 
SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, 
the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises 
servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the 
option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance.

( Copy of the Homepage: https://microsoftonline.com   &  https://microsoft.com )

Office 365 is a subscription-based online office and software plus services suite which offers access to various services 
and software built around the Microsoft Office platform. Serving as a successor to Microsoft`s Business Productivity Online 
Suite, the service was originally designed to provide hosted e-mail, social networking and collaboration, and cloud storage 
to teams and businesses. As such, it first included hosted versions of Exchange, Lync, SharePoint, Office Web Apps, along 
with access to the Microsoft Office 2010 desktop applications on the Enterprise plan. With the release of Office 2013, 
Office 365 expanded to include new plans aimed at different types of businesses, along with new plans aimed at general 
consumers wanting to use the Office desktop software on a subscription basis.After a beta testing process which began in 
October 2010, Office 365 was officially launched on June 28, 2011.

(Copy of the Homepage: http://office.microsoft.com/en-us/  &   http://en.wikipedia.org/wiki/Microsoft_Office_365)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent encoding web vulnerability in the official Microsoft Online Service (core) web-application.


Vulnerability Disclosure Timeline:
==================================
2013-02-03: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-02-06: Vendor Notification (MSRC- Security Response Center Team)
2013-12-11: Vendor Response/Feedback (MSRC- Security Response Center Team)
2013-12-11: Vendor Fix/Patch (Microsoft Developer Team - Case Manager: Brandon)
2013-12-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corporation
Product: MS Online Service 2012 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple persistent input validation encoding web vulnerabilities are detected in the official microsoft cloud core online service portal.
The persistent encoding vulnerability of the microsoft online web server is located in the company and name profile details.

The microsoft online web server does not encode the outgoing (dbms saved) details or values of the registered microsoft service 
user profiles. The vulnerability is located in the user profile input values `Name`, `Surname` and `Organization Name`. 

The bug can be exploited by the inject of own malicious script code as name, surname and organisation name. After the inject the 
own malicious script code will be saved in the microsoft dbms with the wrong encoded values. The server is sending different user 
notification mails by usage of the stored (manipulated) database values. The request method to inject is POST and the attack vector 
is persistent. The manipulated values in the database are the reason for the persistent script code execute. In the outgoing emails 
are by the original microsoft online-service mail or the office mail server.

The following registration services are marked as vulnerable ... `register an account (microsoft.com)`, `license account (microsoft.com)` 
or the `demo trail account` for the new Office-360°. Because of the problem turns into a persistent weakness in several microsoft services 
the issue has been marked as medium(+) with a cvss (common vulnerability scoring system) score of 3.7(+). 

Exploitation of the persistent remote vulnerabilities in the outgoing mail encoding requires a low privileged web-application user 
account and low user interaction. Succsessful exploitation of the vulnerability results in persistent session hijacking (not expired 
sesssion), persistent phishing via the original microsoft email service and persistent manipulation of email service and connected.

Vulnerable Service(s):
				[+] Microsoft Online Service

Vulnerable Input Module(s):
				[+] Registration Formular Account (licenses)
				[+] Registration Formular Trail
				[+] Sharepoint - Steps 1-4 & Changes
				[+] Dynamic CRM - Sign In
				[+] Start using your Office 365 trial today - Invitation to use Office 365


Vulnerable Parameter(s):
				[+] Name der Organisation (Name of Organisation) - Companyname
				[+] Name
				[+] Surname


Affected Module(s):
				[+] Microsoft Online Service - Mail Notification


Affected Service Function(s):
				[+] Microsoft Online Service Mail Notification - MS Online
				[+] Microsoft Online Service Mail Notification - Office 365
				[+] Microsoft Online Service Mail Notification - Sharepoint Online
				[+] Microsoft Online Service Mail Notification - Dynamic CRM Online
				[+] Microsoft Online Service Mail Notification - Lync


Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with or without web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

1.1
PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht.

<tr>
<td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;">
<p style="margin:0px 0px 12px 0px;">
<strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br />
<strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p>
<p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p>
<p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p>
</td></tr>

URL(s): 
Registration Account Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Registration Trail Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Original Service URL(s):
https://portal.microsoftonline.com/Signup/MainSignUp.aspx

Available and Tested Sender eMail(s):
reply-fec915767460037e-99_HTML-76251279-1014838-1@email.microsoftonline.com
Office365@microsoftonline.com
email.microsoftonline.com

Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/



1.2
PoC: Dynamic CRM - Sign In - Notification Mail

<tbody><tr>
<td style="padding-top:10px; font-family:'Segoe UI', Segoe, Tahoma, sans-serif; font-size:10pt; line-height:15px; 
color:#000000;"><strong>Name:</strong> %20%20%20%20"><[PERSISTENT SCRIPT CODE EXECUTION!]") <</td>

... or

<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 
0px;"><strong>Organization Name:</strong><br /><[PERSISTENT SCRIPT CODE EXECUTION!]") <</p>



PoC: Sharepoint - Steps 1-4 & Changes - Notification Mail

<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="720">
<tbody><tr>
<td width="20"></td>
<td style="padding-bottom:15px;">
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="680">
<tbody><tr>
<td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT SCRIPT CODE EXECUTION!]") <,</td></tr>


Available and Tested Sender eMail(s):
msonlineservicesteam@microsoftonline.com
reply-fec2157471620d78-108_HTML-177022632-1014838-17720@email.microsoftonline.com
Office365@microsoftonline.com
reply-fecc15767765037f-99_HTML-76251279-1014838-1@email.microsoftonline.com
reply-fecc15747163047e-108_HTML-180111840-1014838-40194@email.microsoftonline.com
reply-fecc15747163047e-108_HTML-180111840-1014838-40194@email.microsoftonline.com
BOSreply@microsoft.com

Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/


Note: The vulnerability does not only affect the notification service it also works with the license registration, 
update notification mails and notification mails for dbms context changes.


1.3
PoC: Warnung: Die Daten aus Ihrer Office 365-Testversion werden in 7 Tag(en) gelöscht.

<tr>
<td height="166" style="padding:0px 0px 0px 10px; font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#000;">
<p style="margin:0px 0px 12px 0px;">
<strong>Name der Organisation:</strong><br />>"<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]><div<br /><br />
<strong>Dienst:</strong><br />Microsoft Office 365-Testversion (Plan P1)</p>
<p style="margin:0px 0px 12px 0px;"><strong>Startdatum der Testversion:</strong><br /> 2012-10-08</p>
<p style="margin:0px 0px 0px 0px;"><strong>Enddatum der Testversion:</strong><br />2012-11-08</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">%20<[PERSISTENT INJECTED MALICIOUS SCRIPT CODE!]"><></p>
</td></tr>

URL(s): 
Registration Account Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=EXCHANGESTANDARD&culture=EN-US&Country=US&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Registration Trail Formular
https://portal.microsoftonline.com/Signup/MainSignUp.aspx?&OfferId=x&dl=LITEPACK&Culture=de-de&Country=DE&xid=
AI:200053632|}RI:200053632|}W1:Direct|}W2:|}&ali=1

Original Service URL(s):
https://portal.microsoftonline.com/Signup/MainSignUp.aspx

Available and Tested Sender eMail(s):
reply-fecf15747162057d-108_HTML-176041426-1014838-41895@email.microsoftonline.com
msonlineservicesteam@microsoftonline.com
support@microsoft.com
email.microsoftonline.com

Reference(s):
https://login.microsoftonline.com/
https://microsoftonline.com/
https://microsoft.com/



1.4
PoC: Your Microsoft Office 365 Trial (Plan E3) is about to expire – buy today!

<table width="206" height="374" align="center" cellpadding="0" cellspacing="0" border="0"> 
<tr>
<td width="206" valign="top" style="font-family:'Segoe UI',Tahoma,sans-serif; font-size:10pt; line-height:13pt; color:#000;"> 
<table width="206" cellpadding="0" cellspacing="0" border="0" style="border:1px solid #fff; background:#fff;">
<tr>
<td style="padding:6px; background:#072B60;">
<p style="font-family:SegoeUI, Tahoma, sans-serif; font-size:11pt; color:#fff; margin:0px;">Account Information</p>
</td>
</tr>
<tr>
<td style="padding:10px;font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60;">
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Organization name</strong><br />
<[PERSISTENT INJECTED SCRIPT CODE!]") <</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Service</strong><br />
Microsoft Office 365 Trial (Plan E3)</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 12px 0px;"><strong>Trial start date</strong><br />
2012-12-31</p>
<p style="font-family:Segoe UI, Tahoma, sans-serif; font-size:9pt; color:#072B60; margin:0px 0px 0px 0px;"><strong>Trial end date</strong><br />
2013-01-30</p>
<p style="margin:0px 0px 0px 0px; letter-spacing:2px;">...........................</p>
</td>
</tr>
</table>


1.5
PoC: Tag 2 - Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online

<tr><td width="28"><img src="http://image.offers.crmlive.com/lib/fefc1270736601/i/1/5d9c825e-3.gif" alt="Spacer" border="0" height="1" width="28">
</td><td width="400">
<span style="font-family: 'Segoe UI', Verdana, sans-serif; font-size:27px; color:#112e58; line-height:normal;">
Erste Schritte bei der Evaluierung von Microsoft Dynamics CRM Online</span>
<br>
<br>
<strong>Name der Organisation: <[PERSISTENT INJECTED SCRIPT CODE!]") <</strong>						
<br>
<br>Vielen Dank für Ihr Interesse an Microsoft Dynamics CRM Online


1.6
PoC: Lync > Connect with next-generation online meetings

<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="720">
<tbody><tr>
<td width="20"></td>
<td style="padding-bottom:15px;">
<table style="font-family:'Segoe UI', Arial, Helvetica, sans-serif;" border="0" cellpadding="0" cellspacing="0" width="680">
<tbody><tr>
<td style="font-size:16px;color:#333333;padding-bottom:6px;">Dear <[PERSISTENT INJECTED SCRIPT CODE!]") <,</td>
</tr>


Solution - Fix & Patch:
=======================
The vulnerabilities can be patched by a restriction, parse or encode of the input vulnerable `name of organization`,`name` and `surname` input fields.
Encode the input and of course do not forget the ensure the outgoing stored db context values are filtered. 

1. Solution - Parse each input and encode all outgoing values separatly
... or
2. Implement a filter or proxy with exception-handling to prevent script code executes.
Note: This solution does not patch the fail it only filters the context and replace the wrong encoded information.


Solution by Microsoft:
Microsoft implemented a cloud email proxy service to filter wrong encoded database values in the outgoing mail servics of microsoft after 
the incident with vulnerabilities in the outgoing service and office emails has been reported by Benjamin. 
The email proxy filters all the malicious injected tags, script codes or payload with a filter mechanism and internal exception-handling to 
prevent the persistent manipulation of original web-server emails.


Security Risk:
==============
The security risk of the (application-side) persistent mail encoding web vulnerabilities are estimated as medium(+).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com