____      ____     __    __
                 /    \    /    \   |  |  |  |
    ----====####/  /\__\##/  /\  \##|  |##|  |####====----
               |  |      |  |__|  | |  |  |  |
               |  |  ___ |   __   | |  |  |  |

------======######\ \/ /#| |##| |#| |##| |######======------
\/ || || \__/

                Computer Academic Underground
                    http://www.caughq.org
                      Security Advisory 

===============/========================================================
Advisory ID: CAU-2008-0002
Release Date: 04/08/2008
Title: Microsoft Windows SharePoint Services Picture Source XSS
Application/OS: Microsoft Windows SharePoint Services 2.0
Topic: A stored Cross Site Scripting (XSS) attack is possible
in Microsoft SharePoint Services 2.0 via picture object
source when adding a picture object to a page.
Vendor Status: Not Notified
Attributes: XSS, Web Service, Microsoft Tuesday
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0002.txt
Author/Email: OneIdBeagl3 <oneidbeagl3 (at) caughq.org>
===============/========================================================

Overview

A stored XSS vulnerability exists in Microsoft Windows SharePoint
Services 2.0 where a malicious user can bypass sanitization and inject
javascript into a web page they are editing. Under normal circumstances,
SharePoint does not permit users to include javascript in any submitted
content.

Impact

If javascript is enabled in a user's browser, when the user views the
page, the javascript will be executed. As a result, an attacker could
potentially steal credentials and takeover the browser or machine of any
user who views the page.

Affected Systems

Microsoft Windows Share Point Services 2.0

Technical Explanation

The string below is not properly sanitized when the web page is saved
after adding a picture using the application's text editor:

    """></P></div></td><script>alert("bingo");</script>

The text between the script tags will be injected into the page upon
each successful edit and save operation, after the page is initially
saved. On initial testing, there did not appear to be a size limit for
javascript text that could be injected. The string must also use all
double quotes when quotes are needed.

Solution & Recommendations

Unless editing web pages in SharePoint 2.0 is necessary, disable this
feature. If the feature is necessary, ensure users must authenticate to
a service before giving them the privilege to create or edit pages, and
only afford users the privileges if they need to create or edit pages.
This practice will help leave an audit trail to determine which account
was used to create a malicious web page if an incident takes place.

Exploitation

===============/========================================================
Steps to inject the javascript attack:

1) Log-in as a user that has enough privileges to create a web page.

2) In the web page on the top toolbar click on Create.

3) Under the 'Web Pages' section, click on 'Basic Page.'

4) Pick a web page name and click the create button.

5) In IE 7, an Edit Content Link appears in the upper right hand corner.
Click on it and it should open up a "Rich Text Editor – Webpage
Dialog" window.

6) Add a picture to the page, and in the 'Picture Source' enter the
following:

 """></P></div></td><script>[your javascript here]</script>

7) Save the content, and then click 'Edit Content' again and save it.
Now the javascript is embedded in the page. Also, each time the page
is edited and saved, the javascript is duplicated in the page.

Credits & Gr33ts

CAU & HDM

–
I)ruid, C²ISSP
[email protected]
http://druid.caughq.org