Pasar al contenido principal

2018-003: Stored XSS on M‏icrosoft Word (office 365)

2018-003: Stored XSS on M‏icrosoft Word (office 365)

Discovered by: Fabian Cuchietti

BACKGROUND

Microsoft Word is a computer program aimed at word processing. It was created by the Microsoft company, and is integrated by default in the office suite called Microsoft Office.

DESCRIPTION

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's computer, and it is stored into the victim application.

PROOF OF CONCEPT

1) Open Microsoft Office Word
2) In the menu, we click on the category "Insert"
3) Click on Video Online
4) A popup window will open
5) From code to insert video, here we insert our attack vector: ">Click here
6) The XSS will executed successfully

When a user search an image, generates a link as the following:

https://www.google.com/url?sa=i&url=https%3A%2F%2Felpais.com%2Felpais%2F2017%2F02%2F13%2Fciencia%2F1486986287_013868.html&psig=AOvVaw32qmRyOt4_pkNDMqoVlPeb&ust=1583227169251000&source=images&cd=vfe&ved=0CAIQjRxqFwoTCOjR6_m6--cCFQAAAAAdAAAAABAE

The "url" parameter is not properly validated, so an open redirect can be exploited through this parameter.

Only this parameter is mandatory, so we can exclude some parameters in the GET request because not affect the expected results:

https://www.google.com/url?&url=

How to reproduce the vulnerability:

1. Select the malicious URL
For example:
https://www.isecauditors.com

2. Create the URL redirection to avoid the Google alert message

https://translate.google.com/translate?sl=auto&tl=en&u=

For example:

https://translate.google.com/translate?sl=auto&tl=en&u=www.isecauditors.com

3. Encode the URL redirection

For that, we can use some service as "https://meyerweb.com/eric/tools/dencoder/".

For example:

https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com

4. Create the final URL without Google alert

https://www.google.com/url?sa=i&url=https%3A%2F%2Ftranslate.google.com%2Ftranslate%3Fsl%3Dauto%26tl%3Den%26u%3Dwww.isecauditors.com

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's computer, this can leverage to steal sensitive information as user credentials, personal data, etc.

SOLUTION

Preventing XSS requires separation of untrusted data from active browser content:

  • The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. See the OWASP XSS Prevention Cheat Sheet for details on the required data escaping techniques.
  • Positive or whitelist server-side input validation is also recommended as it helps protect against XSS, but is not a complete defense as many applications require special characters in their input. Such validation should, as much as possible, validate the length, characters, format, and business rules on that data before accepting the input.
  • For rich content, consider auto-sanitization libraries like OWASPs AntiSamy or the Java HTML Sanitizer Project.
  • Consider Content Security Policy (CSP) to defend against XSS across your entire site.

REVISION HISTORY

Feb 02, 2018

DISCLOSURE TIMELINE

  • Jun 16, 2018 : Vulnerability acquired by Internet Security Auditors
  • Jun 16, 2018 : Contact with Microsoft Security Team
  • Jun 20, 2018 : Microsoft feedback
  • Jul 07, 2018 : Vulnerability Disclosure

REFERENCES

Consult these external references for further information:

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.