Microsoft Yammer Cross Site Scripting

2013-12-13T00:00:00
ID PACKETSTORM:124416
Type packetstorm
Reporter Ateeq ur Rehman Khan
Modified 2013-12-13T00:00:00

Description

                                        
                                            `Document Title:  
===============  
Microsoft Yammer - Persistent Profile Vulnerabilities  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=978  
  
MSRC ID: 14808  
  
  
Release Date:  
=============  
2013-12-12  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
976  
  
  
Common Vulnerability Scoring System:  
====================================  
4.9  
  
  
Product & Service Introduction:  
===============================  
Yammer, Inc. is a freemium enterprise social network service that was launched in 2008 and sold to Microsoft in 2012. Yammer   
is used for private communication within organizations or between organizational members and pre-designated groups, making it   
an example of enterprise social software. It originally launched as an enterprise microblogging service and now has applications   
on several different operating systems and devices. Access to a Yammer network is determined by a user`s Internet domain, so   
only those with appropriate email addresses may join their respective networks.  
  
Yammer is a secure, private social network for your company. Yammer empowers employees to be more productive and successful by   
enabling them to collaborate easily, make smarter decisions faster, and self-organize into teams to take on any business challenge.   
It is a new way of working that naturally drives business alignment and agility, reduces cycle times, engages employees and improves   
relationships with customers and partners.  
  
Pioneered Enterprise Social Networking when we launched in 2008 Among the fastest growing enterprise software companies in history,   
exceeding over four million users in just three years. Raised $142 million in venture funding from top tier firms Used by more   
than 200,000+ companies worldwide  
  
Built social from the ground up with ‘Facebook DNA’: Facebook’s Founding President, Sean Parker serves on Yammer’s Board of Directors   
Yammer and Facebook share the same first investor, Peter Thiel; backed by Social+Capital Partnership – a fund established by former   
Facebook Vice President, Chamath Palihapitiya. More than 80 percent of the Fortune 500® are using Yammer. Leading organizations   
including Ford, Nationwide, 7-Eleven, Orbitz Worldwide, Rakuten, and Telefonica O2 have adopted Yammer.  
  
Vendor Homepage: http://www.microsoft.com  
Product Website: https://www.yammer.com  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Research Team has discovered multiple persistent validation vulnerabilities in the Microsoft Yammer Social Network.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2013-06-14: Researcher Notification & Coordination (Ateeq ur Rehman Khan)  
2013-06-16: Vendor Notification (MSRC- Security Response Center Team)  
2013-12-11: Vendor Response/Feedback (MSRC- Security Response Center Team)  
2013-12-11: Vendor Fix/Patch (Microsoft - Developer Team)  
2013-12-12: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Microsoft Corporation  
Product: Yammer - Social Network Application 2013 Q2  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
Microsoft Yammer Social Network Service seems to be vulnerable to multiple persistent script code injection web vulnerabilities.   
The exploitation of these vulnerabilities require a low or medium user interaction. Interesting enough, the exploits get triggered   
when the Yammer Desktop Application users interact with the Yammer Social Network Website.   
  
To conduct the POC tests, the researcher created a valid network on the Yammer Social Network website, registered 2 user accounts   
and also downloaded and installed the Yammer Desktop Application, Latest build. Upon further testing, it was initially noticed that   
basic security checks are in place on Yammer website and malicious requests are being blocked / filtered in almost every input field   
however I was still able to find atleast two different fields in two separate modules of the Yammer website which are both vulnerable   
to persistent script code injection flaws.   
  
The first vulnerable field is [department_name] under the User Edit Profile Section in My Home Network. An attacker can inject   
malicious script code into this particular field and wait for victims / unaware users to view the attacker profile using their   
Yammer Desktop Application Software.  
  
The second vulnerable field is network[message_prompt] in Admin / Design and Configuration Module in External Networks. An attacker   
can inject malicious script code in the vulnerable field and wait for victims / unaware users to hover their mouse on over the Message   
Window for this particular exploit to get triggered.  
  
The first bug initially discovered on the Yammer website was a self XSS which exists in the preview feature (when a user hovers the   
mouse over a profile name, a short preview window appears). All fields inside the preview window are editable and input sanatization   
is not being performed properly and hence are vulnerable to code injection. This gave the researcher much hope in conducting further   
in depth tests to analyze the application behaviour and find more vulnerabilities. As Self XSS is not considered as a security hazard,   
I have only provided references to it in the POC Video provided along with this advisory for your review.  
  
The Yammer desktop application seems to be quite vulnerable. Using the app, the researcher was also able to find another Self XSS in   
the Topics feature. Reference is available in the POC Video provided along with this advisory. These sort of vulnerabilities can   
result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system.   
  
The security risk of the persistent web vulnerabilities are estimated as medium to high with a cvss (common vulnerability scoring system) count of 4.9(+)|(-)5.0.  
  
Successful exploitation of the vulnerability may result in malicious script code being executed in the victims browser or the Yammer   
Desktop Application resulting in script code injection, persistent phishing, Client side redirects and similar attack vectors.  
  
  
Vulnerable Service(s):  
[+] Microsoft Yammer Social Network   
Vulnerable Application(s):  
[+] Yammer Desktop Application - Latest Build - Q2 2013  
  
Bug #1  
  
Vulnerable Network(s):  
[+] My Home Network  
Vulnerable Section(s):  
[+] Edit User Profile  
vulnerable Field(s):  
[+] [department_name]  
  
Bug #2  
  
Vulnerable Network(s):  
[+] External Networks  
Vulnerable Section(s):  
[+] Admin - Design and Configuration   
vulnerable Field(s):  
[+] network[message_prompt]  
  
  
Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged web-application   
user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps   
and information below.  
  
Note: The attack scenario in this case of both perspective would look like the following ...  
  
Attacker:  
---------  
An attacker compromises a user profile, edits it and injects malicious script code within the vulnerable fields.   
  
Victim:  
-------  
The exploit gets triggered as soon as another Yammer Desktop Application user accesses the network and views the Attacker Profile.   
  
  
  
Proof of Concept: Bug #1  
  
You need 2 valid user accounts to do these POC's. In this case, the vulnerability can be exploited by low privilege application   
user account with low required user interaction. For demonstration or reproduce ...  
  
  
Attack Scenerio:  
----------------  
1. Log into your Yammer profile with a valid user account.   
2. Goto User Profile and click on "EDIT PROFILE"  
3. On the next page, from the menu on your Left, Click on "Profile"  
4. Enter the Payload in the input field called "Department"  
5. Save the External Network and log out.  
  
Victim Scenerio:  
----------------  
1. Log into Yammer using the Desktop Application Software and your Second User Account  
2. Goto "My Networks"  
3. You should now see an Adobe AIR Popup window saying "/Vulnerable/" proving the existence of this vulnerability.  
  
  
  
  
Proof of Concept: Bug #2  
  
To produce this POC an attacker needs an admin user account. In case if no external networks are created, an attacker needs   
to create a new external network or edit an existing one in case if one exists already.   
  
Attack Scenerio:  
----------------  
1. Log into your Yammer account, the one with admin priviledges.   
2. Goto "My Networks" and Click on any existing External Networks (in this case the researcher had already created an external network)  
3. On the next page, Click on "Admin" and then choose "Design and Configuration"  
4. Enter the Payload in the input field called "Message Prompt"  
5. Save the profile and log out.  
  
Victim Scenerio:  
----------------  
1. Log into Yammer using the Desktop Application Software and your Second User Account  
2. From the Top Left menu, Choose the External Network (The one you created with attacker profile)  
3. After Logging in to the external network, hover your mouse on the Message Prompt with the injected Payload.  
3. You should now see an Adobe AIR Popup window saying "/Vulnerable/" proving the existence of this vulnerability.  
  
  
POC Payload:  
A%20/><SCRIPT>alert(/Vulnerable/)</SCRIPT>  
  
  
  
Bug #1  
  
<th><label for="meta_user_users_attributes_0_department_name">Department</label>:</th>  
<td><input class="wider" id="meta_user_users_attributes_0_department_name" maxlength="255" name="meta_user[users_attributes][0][department_name]"   
size="255" type="text" value="<H1>Alsj</H1>">AjlsfasnA%20/><SCRIPT>alert(/Vulnerable/)</SCRIPT>" /></td>  
<input id="meta_user_users_attributes_0_id" name="meta_user[users_attributes][0][id]" type="hidden" value="1501443222" /> </tr>  
  
  
Bug #2  
  
<label for="network_name">Message Prompt:</label>  
<input class="super-wide" id="new_message_prompt" maxlength="62" name="network[message_prompt]" size="62" type="text"   
value="A%20/><SCRIPT>alert(/Vulnerable/)</SCRIPT>" />  
  
  
Solution - Fix & Patch:  
=======================  
Proper input sanitization should be performed in the application source code on both, website and the desktop application end in order to   
filter all malicious script code tags to mitigate any further risks associated with these vulnerabilities.   
  
  
Security Risk:  
==============  
The security risk of this persistent script code inject web vulnerabilities are estimated as medium(+)|(-)high.  
  
  
Credits & Authors:  
==================  
[Vulnerability Laboratory] (Core Research Team) - Ateeq ur Rehman Khan (ateeq@evolution-sec.com)  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases   
or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com  
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other   
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and   
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),   
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.  
  
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]  
  
  
  
--   
VULNERABILITY LABORATORY RESEARCH TEAM  
DOMAIN: www.vulnerability-lab.com  
CONTACT: research@vulnerability-lab.com  
  
`