Office Stored XSS

Georgie Yoxall Mar 2, 2018
1 favorite favorites
bookmark bookmark
share share

Microsoft Office XSS

I've been wanting to share my findings on this vulnerability for a while now, however have only just gotten the chance; after 9 months of waiting to share the results.

I thought I'd blog about it as it was quite an interesting find.

Overview

I reported this vulnerability to Microsoft last year. After going through several case managers; they have now confirmed it to be patched.

Vulnerability: Cross-site scripting (Stored)
Affected: office.com
Vulnerable endpoint: office.com/1/search
Time to response: 6 days
Time to resolution: approx. 9 months

I was added to the Microsoft Hall of fame for January 2018, the initial report was submitted on 19/04/2017.

Publication

So, let's dive into the technical issues behind this discovery.

Discovery

I was just browsing my girlfriend's EDU Office 365 account when I noticed there was a "shared with me" section where you could see files sent to you.

Each file received also had a subject and snippet section; this looked a lot like e-mail data. In a similar fashion to the below image.

Fuzzing & attack

I did a bit of testing to find out that one of the entry points for these "shared documents" actually originated from e-mail's. They would only be displayed when an Office-related file (.docx, .xlsx, etc) were attached to the received e-mail.

So, I sent an empty .docx (Word) file to my girlfriend's Office 365 account from my own e-mail. I set the e-mail "subject" as a simple payload.

Payload: <h1>XSS<img src=...>

And behold, it was not only received in the "shared files" area but it executed my script on her web-page; ultimately rendering it as being a unique "stored" XSS vector.

Take away

I think this vulnerability is an example of why we can't just automate fuzzing of "all the things", there must be the human element too.

Patched:

When reviewing the impact, we should think - what if the Word file was named something generic, e.g. "Assignment" or "Brief" and was forwarded to all students? We'd essentially have affected a lot of people with the stored XSS.

Sanitise ALL foreign input, even if it's not directly inputted on the site; it can still be tampered with and you can't always validate that. That includes API data, and e-mail data.

Thanks for reading.