A Tour of Office 365, Azure & SharePoint, through the Eyes of a Bug Hunter

by

Dr.-Ing Ashar Javed

#1 in Microsoft’s Top 100 Security Researcher List - 2018

@

Responsible Disclosure

All bugs're reported in a responsible manner at first.

 

Further, the slides have been shared with Microsoft almost a week before this presentation and I am thankful to Jarek Stanley (Microsoft Security Response Center) for reviewing slides in a detailed manner and to support this Coordinated Vulnerability Disclosure

This was the kicking point ...

published on June 19, 2016 by @nilesh_loganx

Cross-Site Scripting (XSS)

Office 365 is a success story of Microsoft on an ongoing basis ...

"Security is built into the heart of Microsoft 365"

Rachel Card (@rachelcard) Chief of Staff @Microsoft Devices during Microsoft Ignite 2017 keynote talk

Manpower

As part of our investments ....

 

"We also employed dedicated teams of pentesters to find & fix security vulnerabilities"

 

Chang Kawaguchi, Group Engineering Manager Office 365 Security

Office 365 Red Team

 

"It is an internal team of hackers focus on protecting office 365. The team is composed of professionals with variety of different backgrounds (developers, testers and network specialist ). Some from inside of Microsoft, some from Govt, others from private industry. "

Travis Rhodes (@travisrhodes), Senior Security Lead

 

"Red team job is to find unknown UNKNOWNS" Matt Swann

Security Teams

 

*PROTECT (SharePoint & OneDrive Security Team)

 

*Vulnerabilities & Mitigation Team (An engineering team behind MSRC)

 

*Office 365 Pentesting Team

 

Software Itself ...

Office 365 is a security-hardened service, designed following the Microsoft Security Development Life-cycle, a mandatory Microsoft process that embeds security requirements into every phase of development.

"Data is the most important asset in your organization. Security occurs around data. We're building a boundary around data. Data loss is non-negotiable. It's not something that you can buy back.

 

From DAY 1, your data is protected without having to turn one NOP or flip one switch inside Office 365 through our investments in our platform security. We have platform security from DAY 1 to protect your data. We got multi-layered approach to keeping you secure".

by Bill Baer @ Microsoft Ignite 2018

O365 Platform Security

"SharePoint is growing faster than ever..."

This sounds challenging given Microsoft takes security seriously (at least the data from earlier slides suggest) while at the same time millions of users are actively using Office 365 -- Microsoft's flagship product. On top of that, Microsoft is offering Bug Bounty Programs.

XSS: "It's a hard problem"

by @jvehent

Microsoft's Bug Bounty

As per Microsoft Security Response Center (MSRC) "The program rewards researchers for sharing eligible vulnerability reports. Security researchers help Microsoft address cyber threats to secure billions of end points that protects millions of our customers around the world."

Microsoft Bounty Program

I participated only in Microsoft Cloud Bounty Program. It is previously known as Office 365 and Azure Bug Bounty program.

MSFT Cloud Bounty Program's Scope

Reward ($500 up to a maximum of $15,000)

Participation in the Microsoft's cloud bug bounty program ends up in ...

#21 in MSRC Top 100 - 2017

#1 in MSRC Top 100 - 2018

The Making of the Top 100 Researcher List

Fixed Cases b/w July 1, 2017 to June 30, 2018 +

Security Impact +

Severity

 

#1 in Q3 Top 5 Bounty Hunters

#1 in Q4 Top 5 Bounty Hunters

31 times listed in Security Researcher Acknowledgments for Microsoft Online Services

34 CVEs have been released in 2018 as of now ...

7 CVEs have been released in 2017

Talk has two sections ...

* Generic Observations

* Real Findings

 

Those who participates or will participate on a regular basis in Microsoft's bug bounty programs, they had or will experience these generic observations.

I hope MSRC will listen ...

The three P's of participation in a Microsoft Bounty Program ...

1) Pain
2) Patience
3) Paisa/Peso

Types of Pain

Pain of managing bugs reporting via email.

 

One can report a bug to Microsoft only via secure@microsoft.com

 

Inbox & Sent Looks like ...

8,4,7,19,2,5,8,9,12,3,2,10 an 7 ... You have to keep in mind all the time what is happening in individual email threads ...

I am not advocating for @Hacker0x01 and @Bugcrowd.

Pain of managing bounty invoices given no payment central system provided by Microsoft that list all your valid cases along with bounty award

 

Tavis Ormandy (@taviso) said

Pain of writing an update email or asking for an update all the time given Microsoft is mostly reactive, not proactive.

The Stupid Email i.e., `Any update?`

Pain of abandoned case(s)  given `staffing change` and/or extended absence.

 

A case manager is a person who acts as a focal person for all the communication b/w you as a bug submitter and product/engineering teams. A case manager relay all the messages on a given email thread.

Pain of figuring-out a CVE against a case number.

For on-premise (SharePoint), a CVE released against a child case number instead of a parent case number.

One good example

I wish this happens to all CVE(s)

Case 40606 was created internally. The original bug report has a case number 40509.

Pain of adding `I hereby positively acknowledge the terms of bug bounty program` in every bug report, otherwise your bounty will be delayed ...

Otherwise ... one more email

Patience

MSRC Case 38809

MSRC Case 40373

MSRC Case 39564

If you can bear all the pain and have patience, please participate in MSFT's bug bounty programs. Good Luck.

"It was well worth it for me for last two years in particular. I am done for now as a regular and frequent submitter".

"... was like a storm. But storms, they can come back. Can't they? The question is, if they come back, is it the same storm, or has something changed?" Prison Break

Paisa/Peso

Minimum bounty payout is 500 USD for a valid in-scope report which is not bad.

For #XSS, I had received...

Minimum per case: 500 USD

Maximum per case: 5025 USD

 

SharePoint Bounties

MSRC Case 34753

I came across ...

Behind the Scene ... Click Logic of `Agree` Button

<script>
    (function(global, $, undefined) {
        "use strict";

        $(function() {
            var fismaContainer = $("#fisma-container");

            fismaContainer.find(":button").click(function() {
                // Disable any buttons after they are clicked (only allows them to be clicked once)
                fismaContainer.find(":button").prop("disabled", true);
            });

            // Handle the clicking of the agree button
            fismaContainer.find(".agree-button").click(function() {
                global.location.href = "CAN BE USER CONTROLLED VIA returnUrl GET PARAMETER";
            });

            // Handle the clicking of the disagree button
            fismaContainer.find(".disagree-button").click(function() {
                global.location.href = "https://account.windowsazure.com/Home/Logoff?returnUrl=https%3a%2f%2faccount.windowsazure.com%2f";
            });
        });
    })(this, jQuery);
</script>

What if

 

https://account.windowsazure.com/Fisma?returnUrl=javascript:alert(1)

global.location.href="javascript:alert(1)";

Fix

global.location.href = "https://account.windowsazure.com/Subscriptions";

MSRC Case 37771

I came across ...

At the time of Registering a New Connector ...

Now a new connector form has been changed slightly and is available at  https://outlook.office.com/connectors/home/login/#/new

The XSS payload comes from `Redirect URLs` ... (Source)

https://www.ANYVALIDURL.com'-confirm(document.domain)-'

Sink: `CopyToClipboard()` fires on `onclick` event

Fast forward three months ...

MSRC Case 39228

Some User Interface Changes in the New Connector form ... The new sink is now `Copy Code` button

The XSS payload comes from `Redirect URLs` ... (Source)

https://www.ANYVALIDURL.com?'-confirm(document.domain)-'

Source Code behind `Copy Code` looks ...

<input id="copy_btn2" 
title="Copy Code" 
value="copy" 
class="copy_codeImage" 
src="/connectors/Content/Images/copy-code.png"
style="margin-right: 0px" 
onclick="CopyCodeToClipboard('webhookUrl', 
'<a href=&quot;https://outlook.office.com/connectors/Connect?state=myAppsState
&amp;app_id=23ef489c-73f1-4236-b7d3-6651f7085b19&amp;
callback_url=https://www.ANYVALIDURL.com?'-confirm(document.domain)-'
&quot;><img src=&quot;https://o365connectors.blob.core.windows.net/images/ConnectToO365Button.png&quot; alt=&quot;Connect to Office 365&quot;></img></a>', this)" 
type="image">

Video PoC

You can only add letters, numbers, and the following special characters: underscore, dash, single quotes and period (_, -, ', .).  

OR

Your user ID can contain only letters, numbers, periods, hyphens, and underscores. The ID can't contain spaces, special characters, or accented letters.

Rules for Email Address Creation in Office 365

MSRC Case 44532

I will omit some details (e.g., problematic POST request and respective parameter) given Microsoft said fix is not yet complete.

Sink

Contact Details Web Part in SharePoint

Vulnerable Code Looks Like

<div id="ctl00_ctl33_g_c68d5984_ee44_4ebd_ac06_d0d7e87bbd97">
	<table style="width:100%;">
		<tr>
			<td valign="top"></td><td valign="top"><SPAN><span class='ms-imnSpan'>
<a href='#' onclick='IMNImageOnClick(event);return false;' class='ms-imnlink'>
<span class='ms-spimn-presenceWrapper ms-imnImg ms-spimn-imgSize-10x10'>
<img title='' alt='' name='imnmark' 
class='ms-spimn-img ms-spimn-presence-disconnected-10x10x32' src='/_layouts/15/images/spimn.png' 
showofflinepawn='1' sip=''-prompt`2`-'@iamcompany.onmicrosoft.com' 
id='imn_contactctl00$ctl33$g_c68d5984_ee44_4ebd_ac06_d0d7e87bbd97,type=sip' 
onload="var _This = this; SP.SOD.executeFunc('portal.js', 'QueuePopulateIMNRC', 
function(){QueuePopulateIMNRC(''-prompt`2`-'@iamcompany.onmicrosoft.com',_This);});" />
</span></a></span></SPAN><img alt="" height=1 width=3 src="/_layouts/15/images/trans.gif"></td>
<td class="ms-vb" valign="top" style="width:100%;"><div class='ms-vb'>
<a href="https://iamcompany-my.sharepoint.com:443/Person.aspx?accountname=i%3A0%23%2Ef%7Cmembership%7C%27%2Dprompt%2D%27%40iamcompany%2Eonmicrosoft%2Ecom">testuser</a></div></td>
		</tr>
	</table>
</div>

Work/Office phone as an attack vector

MSRC Case 40671

`Work phone` property (Source)

Office 365 Video Portal (Sink)

Display Name property of a user in O365 is GOLDMINE ...

Why tenant admin will change your display name as an XSS vector?

 

The URLs like

https://portal.office.com/AdminPortal/Home#/homepage OR

https://portal.azure.com OR https://admin.microsoft.com/AdminPortal/Home#/homepage

are under control of a user having an admin privileges ...

 

I found ...

MSRC Case 37501

Office 365 (Word, Excel, PowerPoint & OneNote) offers real time Chat experience with co-editors or co-authors ...

Chat User Interface appears only if you share

What if Display Name is ...

'"></title></script><img src=x onerror=confirm(/udisplayname/)>

Word Online

Excel Online

PowerPoint Online

OneNote Online

MSRC Case 37603

MSRC Case 44864

File ---> Share ---> Embed

`Always start with this cell selected:` caught my attention because of default use of single quotes around sheet name ...

The complete URL looks ...

ActiveCell GET parameter is of our interest ...

Source Code looks like ...

The <iframe> tag's src attribute is making use of double quotes so we need double quote to break the context.

The payload like "onload="confirm(document.domain)"

should do the job.

Fix (URL encoding has been applied as part of src attribute of <iframe> tag)

"XXXX'XXXX</XXXX was probe string

MSRC Case 43150

POST /Ucc/DDI/DDIService.svc/GetObject?... HTTP/1.1
Host: protection.office.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://protection.office.com/Ucc/Pickers/SharepointSitePicker.aspx
X-Requested-With: XMLHttpRequest
Content-Type: application/json; charset=utf-8
Content-Length: 226
Cookie: ...
...
...
...
Connection: close

{"identity":
{
 "RawIdentity":"https://<SharePoint URL>?</script><img src=x onerror=confirm(1)>",
 "DisplayName":"https://<SharePoint URL>?</script><img src=x onerror=confirm(1)>"
}
}

RawIdentity POST parameter is culprit

Office 365 offers real-time Query Suggestions/Recommendations

MSRC Case 44552

As I said earlier Display Name is a goldmine ...

MSRC Case 37980

Main Page of SharePoint ...

Search in SharePoint is culprit because it tries to auto-populate what's happening in SharePoint ...

If in SharePoint, any project title, site name, page name and etc holds an XSS payload, this makes the main search in SharePoint vulnerable to XSS ... and it works across different users because of federated nature ...

MSRC Case 33926

Organization `Name` in portal.office.com makes every page of  portal.azure.com vulnerable to XSS ...

 

Exploitable only in case of multiple admins and this is common in case of a distributed organizations...

MSRC Case 39496

One URL https://www.yammer.com/<tenant name goes here >.onmicrosoft.com/admin/usage_policy one can set a policy (allows use of some HTML tags) and thereafter every user will see it at the time of sign-up or as a reminder in the side-bar of the main page of Yammer....

MSRC Case 44393

Video PoC (Office 365 Groups)

<input value="Go to group" 
onclick=
"window.location.href='https://outlook.office365.com/owa/?path=/group/zzz'-prompt`1`-'zzzz@iamcompany.onmicrosoft.com/mail'; 
this.disabled = true" style="height: 30px;width: 100px; border: 1px solid #0072C6; 
font-weight: bold; color:white; font-size: 12px; 
line-height: 12px; background-color: #0072C6;" <="" input="" type="button">

MSRC Case 37615

MSRC Case 37847

SPUrl GET parameter was vulnerable

Click on `Go back to the SharePoint site for now` results in JavaScript URI execution. The attack payload is part of SPUrl GET parameter.

MSRC Case 37487

Display Name and O365 Group Name are source of this XSS (video PoC)

Isn't all these XSS looks simple at the end of day? but

don't forget about all the manpower of Microsoft, software itself is based on secure development life cycle, thousands of bug hunters around looking at their properties ...

I found these all ...I hope this will inspire others to join the hunt.

"Simple is not synonymous for easy"

Stephane Castellani

Steve Jobs

The story of XSS will continue in the years to come ...

I highly encourage you to go for XSS hunt in Office 365 and please share your story ...

I am grateful to Cameron Vincent (@SecretlyHidden1) for reviewing these slides from his experiences.

 

He is at No. 4 in the Microsoft's Top 100 security researcher list of 2018.

Feedback

MSRC team members were present during the talk and it is good to see their feedback after the talk in the form of tweets ...