[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Office 365 - Account Hijacking Cookie Re-Use Flaw, extended
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Office 365 - Account Hijacking Cookie Re-Use Flaw, extended
- From: "Oei, Géry" <geryoei@xxxxxxxxxx>
- Date: Thu, 27 Feb 2014 08:17:31 +0100
Title:
Office 365 - Account Hijacking Cookie Re-Use Flaw, extended
Vendor:
- Microsoft
Products affected:
- Office 365 E3 package (version as of February 22nd, 2014)
- Sharepoint Online Services
Abstract:
The well-known account hijacking through cookie re-use flaw was originally
reported in July 2013 by Prof. Sam Bowne and discussed in several forums:
http://www.networkworld.com/community/blog/hijacking-office-365-and-other-major-services-cookie-re-use-flaw
http://thehackernews.com/2012/12/hotmail-and-outlook-cookie-handling.html
http://www.klocwork.com/blog/software-security/cookie-reuse-flaw-exposes-users-of-office-365-other-web-services/
As well as the original vulnerability hasn’t beed closed as of this report,
there is another serious impact on defeating this vulnerability:
- Changing the password of the user will not invalidate the stolen cookie
- Blocking the account (user lockout) will not work as well
This allows an attacker to hijack the user account for at least 23 years until
the account has been deleted completely.
Steps to reproduce:
* Pre-requisites:
- Office 365 account (E3 package with Sharepoint Services)
- As malicious system: Windows O/S Client and Interner Explorer 9 to 11 or
Firefox 25+
(Other OSes and Browsers not yet tested), cookies shall not be deleted upon
closing the browser.
- only password authentication used (default)
* Preparation Steps:
1) The user logs on using an untrusted device (eg. Internet Café) to office365
via the official microsoft online portal login.onmicrosoft.com with the setting
„keep me signed on“
2) The user now navigates to his allowed team websites at sharepoint services
eg. replacethiswithyourtestsite.onmicrosoft.com
3) The user now leaves the untrusted device by either shutting down the
computer, closing the browser or just logging off only from the os, with
a) not logging off from microsoft portal properly
b) and not cleaning his cookies
* Well-known first part - Cookie re-use flaw:
4) A malicious user (eve) can use the (confidential) sharepoint url simply by
re-using the cookie.
5) From a valid Sharepoint Online Services access all other services can be
accessed (OWA, Skydrive ,etcetera) whilst refreshing their credential cookies
* The flaw extension - can’t lockout the attacker:
6) If the user might be aware of its failure or a misuse is detected, the user
might try to change its password or let the administrator reset the users
password or
7) The administrator might decide to block the account from connecting using
the OAC.
8) In both ways, the stolen cookie will still be accepted (see steps 4 to 5)
Vendor response:
- The issue has been reported to microsoft in several ways:
- Ticket 1235308167 (Microsoft support USA)
- Ticket 201402160322129434 (Microsoft Partner Support Germany)
- Ticket 114021011169872 (Microsoft Office Online User Support Germany)
- No solution offered so far, but issue was acknowledged by Microsoft Partner
Support Germany
Workarounds:
- For forensic reasons it might be not recommended, but at this time I don’t
see any other solution, the only way is to delete the attacked account
completely.
- This way is congruent with the workaround Microsoft offers as solution in
his online forum
O.E.I.-Beratung
Géry Oei
Tersteegenstr. 9
42579 Heiligenhaus
Germany