A researcher in the UK disclosed the details of a serious cross-site scripting vulnerability in Office 365 that would allow an attacker with a mailbox on Office 365 to gain administrator rights over the Microsoft Web-based application in an organization.
An exploit in an enterprise environment would put email and SharePoint data at risk and could also give a hacker the ability to change Office 365 configuration settings, said researcher Alan Byrne, cofounder of Cogmotive, a business process automation firm in London.
“It was able to be exploited from any web browser, from any internet connected device,” Byrne told Threatpost, adding that an attacker could do so with just a few lines of JavaScript.
Byrne said he reported the vulnerability to Microsoft on Oct. 16 and was informed that the issue was resolved by Dec. 19 when Microsoft rolled out the fix to its online service.
“I believe this makes it a really large vulnerability, as in most companies everyone has a mailbox including interns, part time support staff, contractors and third-party service providers,” Byrne said. “If any of these people had malicious intent they could have used this exploit to gain access to the email correspondence of anyone else in the company including the CEO or looked into the SharePoint document libraries of any department.”
Byrne said in a post to his company’s blog that the vulnerability was introduced into Office 365 in its latest update, called Wave 15, which was completed in November. A number of new features were built into Office 365, including more storage, mobile access for iOS devices and offline access to Outlook Web App. Byrne said he found the bug in the Office 365 Administration Portal.
“At its core the exploit uses a simple Cross Site Scripting vulnerability in the Microsoft Office 365 Administration portal. The portal was not correctly escaping user and mailbox information which it read out of Windows Azure Active Directory,” he said. “In this case, it was possible to modify the Display Name of a user account to include an XSS payload which was then executed in the browser of an administrator when they viewed a list of all users in the Office 365 portal.”
Like many other Web applications, Office 365 relies on JavaScript and uses the jQuery library, which Byrne said made it simple to write a cross-site scripting attack that would call and load a malicious JavaScript file from a remote server. Using legitimate credentials for a standard user account in Office 365, Byrne said he was able to modify his display name and replace it with a XSS string that loaded the malicious remotely stored file
“Now that my display name contains the payload, we just need to wait for an Administrator to log into the web portal to do some business- as-usual user administration,” Byrne said. “The Administrator doesn’t have to click any links for the payload to be executed, they merely have to load up the user administration page.”
The exploit he wrote carries out two functions. First, it creates a new global administrator account in the company’s Office 365 environment; Byrne said that in a large company, such a tactic will likely succeed because new accounts are likely to blend in and essentially hide in plain sight.
“The function appends an iFrame which is zero pixels wide and zero pixels high to the Office 365 administration web page. It is effectively invisible to the Administrator whose account is being attacked,” he said. “Inside this iFrame we load up the Create User page and use jQuery to fill in all the form fields, select the type of Administrative account we wish and request that the initial password be sent to my email address.”
Once the hacker receives his new Office 365 credentials, he’s off and running, free to make configuration changes, read email, copy and steal SharePoint data and more, putting not only personal information at risk, but intellectual property.
The second part of his exploit’s payload, he said, keeps the attack quiet.
“It loads another zero by zero pixel iFrame but instead modifies my user account to change the display name back to its original value,” Byrne said. “By the time the administrator sees the XSS payload, it’s too late and it has already been executed. If the administrator refreshes the administration page or clicks on the user account to investigate further, the display name will appear normally. Most Windows Administrators I know would put it down to ‘internet gremlins’ and pretend they didn’t see it.”
Ironically in November, Microsoft beefed up its encryption capabilities in Office 365, announcing a new service called Office Message Encryption that Microsoft said will simplify email encryption for users. Microsoft is expected to have the service rolled out this quarter.
