|Product:||Microsoft Dynamics CRM 2013 SP1|
|Vulnerable Versions:||(220.127.116.11) (DB 18.104.22.168) and probably prior|
|Tested Version:||(22.214.171.124) (DB 126.96.36.199)|
|Advisory Publication:||December 29, 2014 [without technical details]|
|Vendor Notification:||December 29, 2014|
|Public Disclosure:||January 7, 2015|
|Latest Update:||January 6, 2015|
|Vulnerability Type:||Cross-Site Scripting [CWE-79]|
|CVSSv2 Base Score:||2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
|High-Tech Bridge Security Research Lab discovered a DOM-based self-XSS vulnerability in Microsoft Dynamics CRM 2013 SP1, which can be exploited to perform Cross-Site Scripting attacks against authenticated users.
The vulnerability exists due to insufficient filtration of user-supplied input passed to the “/Biz/Users/AddUsers/
To successfully exploit this vulnerability (as any other XSS vulnerability, besides stored ones) an attacker should use a social engineering technique to trick the user to insert malicious code into the above-mentioned field on the vulnerable page. Being a self-XSS, the vulnerability still remains quite useful to perform attacks against users of Microsoft Dynamics CRM that is quite secure. Below you can find the exploitation scenario applicable to any web application running Microsoft Dynamics CRM.
Using pretty simple social engineering technique attacker can trick a user to copy some “legitimate” text from a specially prepared malicious page to user’s clipboard using “Ctrl+C” or mouse, and then paste it into the vulnerable web page.
Simple exploit code bellow will display a legitimate text to the user, and then replace the text in user’s clipboard with our exploit code:
The victim will see the following text in the browser:
However, will copy and paste the following malicious payload:
Attacker then can trick then the user to paste copied buffer into the “newUsers_ledit” field on the “https://[victim_host]/[site]/
Below you can see the image with user cookies displayed in JS pop-up:
Quick video of exploitation:
|On the 31st of December 2014, Microsoft replied the following:
“MSRC does not consider self-XSS issues to be security vulnerabilities. For a discussion of how we define security vulnerabilities, see http://www.microsoft.com/
Taking into consideration the rise of successful self-XSS attacks campaigns in 2014 we do consider this issue to be a security vulnerability. As vendor refused to provide an official fix for the vulnerability, we suggest to block access to the vulnerable script using WAF or web server configuration as a temporary solution.