[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Microsoft Service - Persistent Web Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Microsoft Service - Persistent Web Vulnerabilities
- From: Research <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 14 Apr 2012 01:33:16 +0200
Title:
======
Microsoft Service - Persistent Web Vulnerabilities
Date:
=====
2012-04-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=433
http://www.vulnerability-lab.com/get_content.php?id=439
MSRC ID: 12209nj
VL-ID:
=====
433
Introduction:
=============
Official Microsoft Partner Program and Application Service. A Microsoft
Certified Partner is an independent company that
provides Microsoft-related products or services. Microsoft Certified partners
provide Microsoft services on behalf of
Microsoft worldwide spanning many fields including OEM, Education, Software
providers and Technical Support. Microsoft
partners also have 24-hour access to Microsoft Support, which enables them to
give better customer relations and support
to a customer. Every Microsoft Certified Partner has been in business for at
least 5 years, has passed several tests, and
has proven skills in their particular field. Microsoft rewards these partners
with discounts in tools that are applicable
to their activities. For example, in the educational field this might take the
form of licenses to Microsoft Windows and
Microsoft Office. In return for participation in the program, partners gain
support services and tools from Microsoft,
often at a significant discount to their face value. However, over the lifetime
of the contract some risk is transferred
from Microsoft to the Microsoft Partner Network in return for the benefits of
the association with Microsoft and the ability
to sell the support services.
(Copy of the Vendor Homepage:
http://en.wikipedia.org/wiki/Microsoft_Certified_Partner)
Abstract:
=========
A Vulnerability Lab Researcher discovered a persistent web vulnerability on
Microsofts official Partners Application Service.
Report-Timeline:
================
2012-02-11: Vendor Notification
2012-02-00: Vendor Response/Feedback
2012-04-10: Vendor Fix/Patch by Check
2012-04-14: Public or Non-Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
Multiple persistent input validation vulnerabilities are detected on Microsofts
official Partner Network
Application Service. The vulnerability allows an remote attacker or local low
privileged user account to
inject/implement malicious persistent script code (Application-Side).
Successful exploitation with low
required user inter action can result in session hijacking against admin,
moderator & customer sessions or
allows an attacker to manipulate requests via persistent script code inject.
The vulnerability is located on
the Company & Mobile Phone Number input fields of the microsoft partner network
service application user profile.
Vulnerable Module(s):
[+] Company & Mobile Phone Number (Profile)
[+] Company Name Profile Listing
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
../9.png
Attack Scheme:
../1(server).png
Proof of Concept:
=================
The vulnerability can be exploited by remote attackers with service user
account. Exploitation requires low user,
moderator or admin inter action. For demonstration or reproduce ...
<div class="label">
<span id="displayPhoneLabel">Eingegebene Nummer:</span>
</div>
<div class="entry">
<span id="displayPhoneLabel">>"<[MALICIOUS PERSISTENT SCRIPT CODE
INJECT]"></span>
</div>
</div>
<input id='countryHidden' type='hidden' value='250' />
<div class='row'>
<div class='label'>
<span id='countryRegionLabel'>Land/Region:</span>
</div>
<div class='entry'>
... or
<tr xmlns="http://www.w3.org/1999/xhtml";>
<td><img alt=""
src="/PartnerProgram/WebResource.axd?d=-Tv3sV_xp32BwONeW9hUQo0fFWY-RDp2Doe-qePp16cPAoXfoy546q9RX-1OFMrOxzhCO3oAeAxwhGn1p4eUC6CYSYmmUfyVtrYNLpkxj_3KbQmv0&t=634607579700584141"/>​​​​​</td><td
style="white-space: nowrap;"
onmouseout="TreeView_UnhoverNode(this)"
onmouseover="TreeView_HoverNode(ctl00_ctl00_ContentMain_ContentMain_location
Hierarchy_locationHierarchyTreeView_TreeView_Data, this)"
class="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_
locationHierarchyTreeView_TreeView_6
ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_2
ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_4"><a
id="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeViewt0"
onclick="TreeView_SelectNode(ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_Data,
this,'ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeViewt0');TreeView_FindStyleManager
ByTreeNode(this.id).ChangeStyle(this.id);HierarchyControl_Find('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_
locationHierarchyTreeView').Select(this.id);
SetSelectedValue('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_
selectedValue', this.id);
EnableSelectButton('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_selectButton');"
href="javascript:void(0)"
class="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_5
ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_0
ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_1
ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_3">[MALICIOUS
PERSISTENT SCRIPT CODE INJECT] (HQ)
(Kassel)</a>​​​​​</td>
</tr>
Reference(s):
../customer-reference-label-box.txt
../153232.txt
../DefineOrganization.aspx.htm
Link Reference(s):
[+]
https://partners.microsoft.com/partnerprogram/DefineOrganization.aspx
[+]
https://partners.microsoft.com/PartnerProgram/CreateReference.aspx
Solution:
=========
2012-04-10: Vendor Fix/Patch by Check
Risk:
=====
The security risk of the persistent script code injection vulnerability is
estimated as medium(+).
Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages,
of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright ©
2012|Vulnerability-Lab
--
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/