Document Title: =============== BMW Online (Mail) - Persistent Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2262 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2021/10/19/bmw-mail-persistent-validation-vulnerability Release Date: ============= 2021-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2262 Common Vulnerability Scoring System: ==================================== 5.9 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Die Bayerische Motoren Werke Aktiengesellschaft (BMW AG) ist ein weltweit operierender, börsennotierter Automobil- und Motorradhersteller mit Sitz in München, der unter dem Markennamen BMW Group auftritt. Die Produktpalette umfasst die Automobil- und Motorrad-Marke BMW, die Automarken Mini und Rolls-Royce sowie die BMW-Submarken BMW M und BMW i. Der Konzern hat sich vor allem seit den 1960er Jahren unter der Marke BMW als Hersteller hochpreisiger, komfortabel ausgestatteter und gut motorisierter Reisewagen mit sportlichem Anspruch einen Namen gemacht und zählt damit zu den sogenannten Premiumherstellern. Daneben zielt die Marke Mini mit Retro-Modellen auf jüngere, lifestyle-orientierte Kundschaft ab, während bei Rolls-Royce in geringer Stückzahl höchstpreisige Luxuslimousinen entstehen. Die Kernmarke BMW geht auf die 1913 durch Karl Rapp in München gegründeten Rapp Motorenwerke zurück. Sie wurden durch Franz Josef Popp ab 1917 ausgebaut und firmierten ab 1918 als Aktiengesellschaft Bayerische Motorenwerke sowie ab 1920 als Süddeutsche Bremsen-AG. Die Motorenbau-Abteilung und der alte Unternehmensname wurden 1922 verkauft und in die 1916 begründete Bayerische Flugzeugwerke AG eingegliedert, die seitdem als BMW firmiert. BMW gehört mit 104,2 Milliarden Euro Umsatz und rund 134.000 Beschäftigten im Geschäftsjahr 2019 zu den größten Wirtschaftsunternehmen Deutschlands und zählte mit einer Jahresproduktion von 2,54 Millionen Fahrzeugen im Jahr 2019 zu den 15 größten Autoherstellern der Welt. Das Unternehmen ist sowohl mit Stamm- als auch Vorzugsaktien an der Börse notiert, wobei die Stammaktie im deutschen Leitindex DAX sowie im DivDAX vertreten ist. Größte Anteilseigner mit zusammen etwa 46,8 % sind Susanne Klatten und Stefan Quandt, die der Industriellenfamilie Quandt angehören. Darüber hinaus ist BMW auch 2018 in den Nachhaltigkeitsindeces Dow Jones Sustainability Indices (DJSI) „World“ und „Europe“ sowie FTSE4Good gelistet. (Copy of the Homepage: https://de.wikipedia.org/wiki/BMW ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the BMW online service web-application. Affected Product(s): ==================== BMW Product: Mailing Server - Online Service (Web-Application) 2020 Q1 Vulnerability Disclosure Timeline: ================================== 2020-06-04: Researcher Notification & Coordination (Security Researcher) 2020-06-05: Vendor Notification (BMW-CERT Department) 2020-08-27: Vendor Response/Feedback (BMW-CERT Department) 2021-10-10: Vendor Fix/Patch by Check (BMW Service Developer Team) 2021-**-**: Security Acknowledgements (BMW-CERT Department) 2021-10-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Bug Bounty Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official BMW online service portal web-application. Guests are able to inject own malicious script codes on the application-side of the vulnerable service module to compromise emails or delivered content via the sender. The vulnerability is located in the `firstname` and `lastname` value parameters of the `mail` module. The vulnerable parameters are insecure sanitized next to being delivered inside of a basic html mail template. Remote attackers are able to inject own malicious script code via POST method request to the application-side of the bmw domain mailing service. The attack vector of the vulnerability is persistent on the application-side and the request method to inject is POST. The attacker does not need to be directly authenticated because its only an initial registration without direct activiation request. The injection points are the vulnerable input fields in the BMW 4er Coupé registration formular and the execution of the malform injected code takes place in the `mail.bmw.de`, `m.mail.bmw.de` domains with the unique `/jsp/m.jsp` file by a client-side GET method request. The issue affects all pages listed with the newsletter module. The vulnerability allows email spoofing, phishing, spamming, cross site requests for redirects to malware or exploits and persistent manipulation of bmw domain (email) contents. A targeted user can not see that the manipulated website is insecure because of the trusted native source that deliveres the contexts over the bmw mailing (mail.bmw.de). The exploitation of the persistent input validation web vulnerability requires no or low user inter action and no privileged application user account. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious sources and persistent manipulation of affected web module context. Request Method(s): [+] POST Vulnerable Module(s): [+] BMW 4er Coupé - Registration Formular Vulnerable Input(s): [+] Vorname (Firstname) [+] Nachname (Lastname) Vulnerable Section(s): [+] CONTENT Vulnerablke File(s): [+] m.jsp Affected Domain(s): [+] mail.bmw.de [+] m.mail.bmw.de Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers with low privileged application user account and medium required user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Payload: Phishing test"> Payload: Session Hijacking test"> test"> Payload: Malware or Exploit test"> Payload: Redirect test"> PoC: Demo URLs (Examples Non Malicious!) https://m.mail.bmw.de/nl/jsp/m.jsp?c=%40Pv0kZwbsXqBiXLjqfLfhjQcmFl03K6l5EVY0L9chpQk%3D --- PoC Session Logs (GET) [Execute] --- https://m.mail.bmw.de/nl/jsp/m.jsp?c=%40Pv0kZwbsXqBiXLjqfLfhjQcmFl03K6l5EVY0L9chpQk%3D Host: m.mail.bmw.de User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: uuid230=e171a7d5-3065-4691-9e39-dc051d6b6bb2; nlid=59b025|bd9a2846; bmwdtm_hq_userdata=lo:not logged in; v_reco_data={"user":"returning","last_channel":"other","pages_viewed":{"https://www.bmw.de/de/index.html":2, "https://configure.bmw.de/de_DE/configure/G22/11AP/FKFSW,P0668,S01S3":1},"site_sections_viewed":{"Index":2,"Configurator":1}, "session_duration":"622","configurator_session_duration":"8"}; at_check=true; bmwdtm_hq_vs=1591355369; s_lv=1591358075425; _cs_mk=0.8202769905305621_1591355369096; _cs_c=1; _cs_id=d1d6f4a2-9e37-a0cf-fd19-495b95a51ace.1591355370.2.1591358075.1591358046.1.1625519370460.Lax.0; AMCV_B52D1CFE5330949C0A490D45%40AdobeOrg=1585540135%7CMCMID%7C43471724831001338048363975029512836080%7CMCAID%7CNONE%7CMCOPTOUT-1591365306s%7CNONE%7CvVersion%7C4.4.0; AMCVS_B52D1CFE5330949C0A490D45%40AdobeOrg=1; s_ppvl=all-models%2520%253E%25204-series%2520%253E%2520coupe%2520%253E%25202020%2520%253E%2520bmw-4-series-coupe-highlights%2C93%2C65%2C6927%2C1920%2C884%2C1920%2C1080%2C1%2CP; s_ppv=all-models%2520%253E%25204-series%2520%253E%2520coupe%2520%253E%25202020%2520%253E%2520bmw-4-series-coupe-models-equipment%2C100%2C100%2C7283%2C1920%2C884%2C1920%2C1080%2C1%2CP; s_cc=true; dtTransferCookie==3=srv=2=sn=V9BCJG98FF13N2R0E8BB33TB9RSRD9AS=app:d6bac8ba1bbb22f2=1=ol=0=perc=100000=mul=1; check=true; s_fid=%20; last_config=%7B%22modelrange%22%3A%22G22%22%2C%22modelcode%22%3A%2211AP%22%2C%22ag_modelcode%22%3A%2211AP%22%2C%22brand%22%3A%22bmwCar%22%2C%22pain t%22%3A%22P0668%22%2C%22rim%22%3A%22S01S3%22%2C%22fabric%22%3A%22FKFSW%22%2C%22options%22%3A%22FKFSW%2CP0668%2CS01CB%2CS01DF%2CS01S3%2CS0205%2CS0230 %2CS0255%2CS02PA%2CS02VB%2CS0428%2CS0431%2CS0493%2CS04AT%2CS04NE%2CS0508%2CS0534%2CS0544%2CS0548%2CS05AQ%2CS05DA%2CS0654%2CS06AE%2CS06AF%2CS06AK%2CS0 6C4%2CS06U2%2CS0801%2CS0851%2CS0879%2CS08KA%2CS08TF%2CS09QX%22%2C%22brandCosy%22%3A%22WBBM%22%7D; _pin_unauth=dWlkPU1ETXdNalZpTkRBdE9UQXhZUzAwWWpobUxX STFaRE10WTJFM01XVm1PVEUxWVdRMg; mbox=session#caf2ce2d3adc47609e4fa1ac588d1a00#1591359906; bmwdtm_hq_sid=k55b3hBo5kgb; bmwdtm_hq_pcg=topics%7Ctopics%20%3E%20fascination-bmw%7Ctopics%20%3E%20fascination-bmw%20%3E%20efficient-dynamics%7Ctopics%20%3E%20fascination- bmw%20%3E%20efficient-dynamics%20%3E%20consumption-and-emissions%7Cconsumption-and-emissions; s_lv_s=Less%20than%201%20day; _cs_s=3.1 - GET: HTTP/1.1 200 OK Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Date: Fri, 05 Jun 2020 11:57:59 GMT Server: Apache Vary: Accept-Encoding X-Robots-Tag: noindex X-UA-Compatible: IE=edge Content-Length: 9916 Connection: keep-alive PoC: Source (Email & Web Pages)
Sehr geehrter Herr Dr. B>"[VORNAME|NACHNAME - EXCUTION POINT!], Reference(s): https://www.bmw.de/de/ssl/requests/rfo-bmw.html#/dlo#%2Fbrand=BM&configId=g8f8j3l6&ucpBaseurl=https:%2F%2Fprod.ucp.bmw.cloud https://www.bmw.de/de/ssl/requests/brand-switch-rfi/rfi-type-switch-bmw/rfi-post-bmw.html#/brand=BM&configId=g8f8j3l6&ucpBaseurl=https://prod.ucp.bmw.cloud Solution - Fix & Patch: ======================= 1. The vulnerability can be patched by a parse and encode of the vulnerable `firstname`, `lastname` input fields in all the affected newsletter registration forms. 2. Restrict the affected input fields and disallow the usage of special chars to prevent malicious script code injection attacks. 3. Escape or safe encode the name parameter content in the html generated template on the affected bmw mailing or unique domain page. 4. Sanitize in the outgoing emails through the bmw mail server the affected name parameters to finally resolve the vulnerability. 5. Due to the manipulation of the content with persistent vector the inner security mechanics should already have noted you about our interaction. Normally when a user changes the contents the page links needs to be checked for malware or suspicious activities. In thus case our attack was invisible for the cert which could assist to readjust Note: https://www.vulnerability-db.com/?q=articles/2021/10/19/bmw-mail-persistent-validation-vulnerability Security Risk: ============== The security risk of the persistent input validation web vulnerability in the web-application module is estimated as medium. The vulnerability can be used to produce malicious and malformed content to phish or exploit user session data the easy way. The targeted users can not see that the delivered contents are not from the original bmw source. The user does not need to verify his registration which allows to perform the attack against other accounts in a simple way. Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)