Microsoft Partner Service - Persistent Web Vulnerability

Document Title:
===============
Microsoft Partner Service - Persistent Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=433
http://www.vulnerability-lab.com/get_content.php?id=439

MSRC ID: 12209nj


Release Date:
=============
2012-04-13


Vulnerability Laboratory ID (VL-ID):
====================================
433


Common Vulnerability Scoring System:
====================================
4.5


Product & Service Introduction:
===============================
Official Microsoft Partner Program and Application Service. A Microsoft Certified Partner is an independent company that 
provides Microsoft-related products or services. Microsoft Certified partners provide Microsoft services on behalf of 
Microsoft worldwide spanning many fields including OEM, Education, Software providers and Technical Support. Microsoft 
partners also have 24-hour access to Microsoft Support, which enables them to give better customer relations and support 
to a customer. Every Microsoft Certified Partner has been in business for at least 5 years, has passed several tests, and 
has proven skills in their particular field. Microsoft rewards these partners with discounts in tools that are applicable 
to their activities. For example, in the educational field this might take the form of licenses to Microsoft Windows and 
Microsoft Office. In return for participation in the program, partners gain support services and tools from Microsoft, 
often at a significant discount to their face value. However, over the lifetime of the contract some risk is transferred 
from Microsoft to the Microsoft Partner Network in return for the benefits of the association with Microsoft and the ability 
to sell the support services.

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Microsoft_Certified_Partner)


Abstract Advisory Information:
==============================
A Vulnerability Lab Researcher discovered a persistent web vulnerability on Microsofts official Partners Application Service.


Vulnerability Disclosure Timeline:
==================================
2012-02-11:	Vendor Notification
2012-02-00:	Vendor Response/Feedback
2012-04-10:	Vendor Fix/Patch by Check 
2012-04-14:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities are detected on Microsofts official Partner Network 
Application Service. The vulnerability allows an remote attacker or local low privileged user account to 
inject/implement malicious persistent script code (Application-Side). Successful exploitation with low 
required user inter action can result in session hijacking against admin, moderator & customer sessions or 
allows an attacker to manipulate formular content (perisstent). The vulnerability is located in 
the company or mobile phone number 
input fields with affect on the output display of the microsoft partner network service application user profile.


Vulnerable Module(s):
				[+] Company & Mobile Phone Number (Profile)
				[+] Company Name Profile Listing

Attack Scheme:
				../1(server).png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with service user account. Exploitation requires low user, moderator 
or admin inter action. For demonstration or reproduce ...


<div class="label">
<span id="displayPhoneLabel">Eingegebene Nummer:</span>
</div>
<div class="entry">
<span id="displayPhoneLabel">>"<[MALICIOUS PERSISTENT SCRIPT CODE INJECT]"></span>
</div>
</div>
<input id='countryHidden' type='hidden' value='250' />
<div class='row'>
<div class='label'>
<span id='countryRegionLabel'>Land/Region:</span>
</div>
<div class='entry'>


... or


<tr xmlns="http://www.w3.org/1999/xhtml">

<td><img alt="" src="/PartnerProgram/WebResource.axd?d=-Tv3sV_xp32BwONeW9hUQo0fFWY-RDp2Doe-qePp16cPAoXfoy546q9RX-1OFMrOxzhCO3oAeAxwhGn1p4eUC6CYSYmmUfyVtrYNLpkxj_3KbQmv0&t=634607579700584141"/>&#8203;&#8203;&#8203;&#8203;&#8203;</td><td style="white-space: nowrap;" 
onmouseout="TreeView_UnhoverNode(this)" onmouseover="TreeView_HoverNode(ctl00_ctl00_ContentMain_ContentMain_location
Hierarchy_locationHierarchyTreeView_TreeView_Data, this)" class="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_
locationHierarchyTreeView_TreeView_6 ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_2 ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_4"><a id="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeViewt0" onclick="TreeView_SelectNode(ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_Data, this,'ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeViewt0');TreeView_FindStyleManager
ByTreeNode(this.id).ChangeStyle(this.id);HierarchyControl_Find('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_
locationHierarchyTreeView').Select(this.id); SetSelectedValue('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_
selectedValue', this.id); EnableSelectButton('ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_selectButton');" 
href="javascript:void(0)" class="ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_5 ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_0 ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_1 ctl00_ctl00_ContentMain_ContentMain_locationHierarchy_locationHierarchyTreeView_TreeView_3">[MALICIOUS PERSISTENT SCRIPT CODE INJECT] (HQ) 
(Kassel)</a>&#8203;&#8203;&#8203;&#8203;&#8203;</td>
	</tr>


Reference(s):
				../customer-reference-label-box.txt
				../153232.txt
				../DefineOrganization.aspx.htm


Link Reference(s):
				[+] https://partners.microsoft.com/partnerprogram/DefineOrganization.aspx
				[+] https://partners.microsoft.com/PartnerProgram/CreateReference.aspx


Solution - Fix & Patch:
=======================
2012-04-10:	Vendor Fix/Patch by Check 


Security Risk:
==============
The security risk of the persistent script code injection vulnerability is estimated as medium(+).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected])


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory