Document Title:
===============
Microsoft Outlook 365 - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1513
Release Date:
=============
2018-08-07
Vulnerability Laboratory ID (VL-ID):
====================================
1514
Common Vulnerability Scoring System:
====================================
6.1
Vulnerability Class:
====================
Arbitrary File Upload
Current Estimated Price:
========================
3.000€ - 4.000€
Product & Service Introduction:
===============================
Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy.
Microsoft Online Services are hosted by Microsoft and sold `with` Microsoft partners. The suite includes Exchange Online,
SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses,
the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through
on-premises servers, as online services, or a combination of both, depending on specific business requirements. Services
also provide the option to add complementary capabilities that enhance on-premises server software and simplify system
management and maintenance.
Outlook.com is a free web-based email service run by Microsoft. One of the world's first webmail services, it was founded in
1996 as Hotmail (stylized as HoTMaiL) by Sabeer Bhatia and Jack Smith in Mountain View, California, and headquartered
in Sunnyvale. Hotmail was acquired by Microsoft in 1997 for an estimated $400 million and launched as MSN Hotmail, later
rebranded to Windows Live Hotmail as part of the Windows Live suite of products. The last version of Hotmail was released
in October 2011.[As of mid-2011, Hotmail had 360 million users per month. It was available in 36 languages. In 2013, Hotmail
was replaced with Outlook.com, which features Microsoft's Metro design language, and closely mimics the interface of Microsoft Outlook.
It also features unlimited storage, Ajax, and integration with Calendar, OneDrive, People and Skype
(Copy of the Vendor Homepage: https://microsoftonline.com )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote file upload web vulnerability and filter bypass in the Microsoft Outlook (365) web-application.
Vulnerability Disclosure Timeline:
==================================
2018-08-08: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Microsoft Corp.
Product: Microsoft Outlook - Web Application 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A file include web vulnerability and filter bypass has been discovered in the official Microsoft Outlook online service web-application.
The security vulnerability allows remote attackers to manipulate web context by an inject through an unauthorized uploaded file.
The vulnerability is located in the `upload file` POST method request of the `https://dub114.afx.ms` outlook web-server. Remote attacker
are able to include local files that are accepted by the service validation to trick the web-server by executing the file. The issue
demonstrates a broken validation mechanism to bypass the filter and execute malicious files within the microsoft outlook web context.
The issue is exploitable by attackers with low privilege application user account without user interaction.
When the attacker sends the file to a victim like shown in the video. Click to the picture aaa.svg that will popup to the file
(attachment poc) so the file which i want the victim to execute will redirect to it with popup in the file but the file will
upload to the microsoft server.
The security risk of the file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the file include web vulnerability requires a low privilege web application user account and without user interaction.
Successful exploitation of the vulnerability results in unauthorized upload of executable files through the outlook application context.
Affected Request Method(s):
[+] POST
Vulnerable Module(s):
[+] upload file
Affected Domain(s):
[+] dub114.afx.ms - Outlook
Proof of Concept (PoC):
=======================
The remote session manipulation web vulnerability can be exploited by remote attackers with low privilege web-application user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
https://dub114.afx.ms/att/GetInline.aspx?messageid=af737cb4-0e9e-11e5-928d-6c3be5a7dbbc&attindex=1&cp=
-1&attdepth=1&imgsrc=cid%3apart25.09020904.07080207%40hotmail.fr&cid=ef89971b56dbc923&shared=1&hm__login=pentest317
&hm__domain=hotmail.fr&ip=10.211.36.8&d=d4659&mf=0&hm__ts=Tue%2c%2009%20Jun%202015%2011%3a57%3a45%20GMT&st=pentest317%25hotmail.fr
%407&hm__ha=01_e344e373c0e1339b49871c316909fcf000ea147583cce52bfb908f73c2a5e611&oneredir=1
https://dub114.afx.ms/att/GetInline.aspx?messageid=888b4109-0e95-11e5-a69c-00215ad7b3ca&attindex=1&cp=
-1&attdepth=1&imgsrc=cid%3apart25.08010206.06090907%40hotmail.fr&cid=ef89971b56dbc923&shared=1&hm__login=pentest317&
hm__domain=hotmail.fr&ip=10.211.36.8&d=d4659&mf=0&hm__ts=Tue%2c%2009%20Jun%202015%2011%3a12%3a26%20GMT&st=pentest317%25hotmail.fr
%407&hm__ha=01_66499fb343d6179fbc5dbd993b5faedaa551d3f4be2c56618cf88908af12ead0&oneredir=1
ab.xml
]>
&sayhello;
--- PoC Session Logs [Header] ---
Message-ID:
Date: Tue, 09 Jun 2016 16:03:59 +0100
From: hadji samir
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: xxxxxxx
Subject: Re: test
References:
<5576D43B.2050601@hotmail.fr>
In-Reply-To:
Content-Type: multipart/alternative;
boundary="------------060504070803040305080403"
This is a multi-part message in MIME format.
--------------060504070803040305080403
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
ss
--------------060504070803040305080403
Content-Type: multipart/related;
boundary="------------080505070300080303010609"
--------------080505070300080303010609
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit
References:
../aaa.svg
../ab.xml
../login.htm
../nsemail.eml
../poc-video.ogv
Reference(s):
https://dub114.afx.ms
https://login.live.com/
https://login.live.com/login.srf
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=&ct=&rver=&wp=MBI_SSL_SHARED&wreply=&lc=&id=&mkt=de-DE&cbcxt=mai
Solution - Fix & Patch:
=======================
Disallow to upload the file to microsoft servers. Restrict the upload and disallow external sources.
Note: The issue has been reported in 2016 Q4 and was resolved by the microsoft developer team during 2017 Q2 - Q4.
The disclosure process of the vulnerability report took about 12 month.
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the microsoft outlook application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™