<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div style="font-family: Verdana;font-size: 12.0px;"> <div style="font-family: Verdana;font-size: 12.0px;"> <div> <div style="border-bottom: solid rgb(237,125,49) 1.0pt;padding: 0.0in 0.0in 2.0pt 0.0in;"> <h1>Office 365 Security</h1> <h1>SharePoint Site User Enumeration</h1> </div> <h2>Category</h2> <p>Insecure direct object reference</p> <p> </p> <h2>Synopsis</h2> <p><a href="https://products.office.com/en-us/sharepoint/collaboration"; target="_blank">SharePoint</a> is a web-based, collaborative platform that integrates with Microsoft Office. Among other features, it allows corporate users to share content with third parties, either via third-party invites or anonymous links.</p> <p>SharePoint allows such third parties to list usernames associated with a particular site collection. This broad enumeration is possible even if the attacker is allowed to access only very limited site content, such as a single document.</p> <p>In the extreme the attacker can acquire list of all customer internal users and their SharePoint partners, which would facilitate both customer-wide and targeted phishing and other social-engineering attacks, impersonating either the corporate customer or one of the partners.</p> <p>Such disclosure can also represent legal exposure and business confidentiality risks for SharePoint customers.</p> <p> </p> <h2>Technical Details</h2> <p>By design SharePoint provides functionality to access user information associated with content published on a site. However, this feature appears to be intended solely for regular corporate users of the site, not for third-party guests with limited access.</p> <p>The initial HTTP request is:</p> <p class="Technical" style="margin-left: 40.0px;"><a href="https://somecustomer.sharepoint.com/sites/somesite/_layouts/15/userdisp.aspx?ID=ParamA"; target="_blank">https://somecustomer.sharepoint.com/sites/somesite/_layouts/15/userdisp.aspx?ID=ParamA</a></p> <p>where ParamA is some integer value. The request results in a 302 redirect to another customer’s site:</p> <p class="Technical" style="margin-left: 40.0px;"><a href="https://somecustomer-my.sharepoint.com/Person.aspx?accountname=ParamB"; target="_blank">https://somecustomer-my.sharepoint.com/Person.aspx?accountname=ParamB</a></p> <p>where ParamB is a result of resolving a site collection-specific ordinal value of ParamA to a structured string that includes the corresponding username:</p> <p class="Technical" style="margin-left: 40.0px;">i:0#.f|membership|someuser@xxxxxxxxxxxxxx</p> <p>Following this first HTTP redirection results in another 302 redirect to authenticate the user:</p> <p class="Technical" style="margin-left: 40.0px;"><a href="https://somecustomer-my.sharepoint.com/_layouts/15/Authenticate.aspx?Source=ParamC"; target="_blank">https://somecustomer-my.sharepoint.com/_layouts/15/Authenticate.aspx?Source=ParamC</a></p> <p>where ParamC is the original URL of the second request.</p> <p>The core weakness in the flow is that this user information retrieval sequence is intercepted on the second request while the first request succeeds as long as it includes cookies acquired through exercising third-party access to some content in the given site collection. Even an anonymous, view-only link to a single shared file suffices.</p> <p>In other words, the resolution of simple ordinals (ParamA) to actual identities (ParamB) happens prematurely, before the security access controls divert the redirection chain of HTTP requests.</p> <p>Submitting the first request without any cookies or with cookies pertinent to unrelated SharePoint customer will result in immediate authentication interception so result of the username resolution is not revealed.</p> <p> </p> <h2>Exploitation</h2> <p>This weakness is exploitable as a classic insecure direct object reference. An attacker first accesses some shared content and preserves acquired cookies. He then uses the cookies to submit a series of requests for userdisp.aspx, iterating through integer values of ParamA, either randomly or sequentially, and harvesting resolved usernames.</p> <p>Valid ordinals in ParamA appear to be assigned sequentially, starting with single digits, so the parameter space exhibits minimal entropy, enabling the enumeration to be highly efficient. The attack can be also parallelized because the submitted requests are independent of each other. (As an example, there is no sequential per-request CSRF token.)</p> <p>No volume throttling or other mitigations have been observed.</p> <p> </p> <h2>Microsoft Response</h2> <p>Sharing a SharePoint document link with a third party "<em>implies a certain degree of trust, the product team will not be modifying the current behavior in a security update, as this behavior is considered "by-design</em>".</p> <p> </p> <h2>Timeline</h2> <p class="Timeline">February 5, 2018 Issue identified and documented</p> <p class="Timeline">February 6, 2018 Report submitted to Microsoft via secure@xxxxxxxxxxxxx</p> <p class="Timeline">February 7, 2018 Report acknowledged by Microsoft, case number assigned</p> <p class="Timeline">February 14, 2018 First status update request sent to Microsoft. Microsoft advises that the "SLA" is March 23.</p> <p class="Timeline">March 20, 2018 Microsoft requested an HTTP trace</p> <p class="Timeline">March 21, 2018 Sanitized HTTP trace and evidence of successful enumeration attack provided to Microsoft</p> <p class="Timeline">March 26, 2018 Previously stated deadline expired without any communication. New status update request sent to Microsoft.</p> <p class="Timeline">March 28, 2018 Microsoft confirmed the issue and requested postponement of public disclosure.</p> <p class="Timeline">April 13, 2018 Status update request sent to Microsoft</p> <p class="Timeline">April 17, 2018 Microsoft sends a note about ongoing discussions how to best address the issue.</p> <p class="Timeline">May 22, 2018 Status update request sent to Microsoft</p> <p class="Timeline">May 25, 2018 Microsoft stated that this is a "by-design" behavior, not warranting further action.</p> <p class="Timeline">May 28, 2018 Public disclosure</p> <p class="Timeline"> </p> <h2>License</h2> <p>This document is © 2018 pzpcve</p> <p>The document content is licensed under a <a href="https://creativecommons.org/licenses/by/4.0/legalcode"; target="_blank">Creative Commons Attribution 4.0 International license</a></p> <p> </p> </div> <div> </div> <div class="signature"> </div> </div> </div></div></body></html>
Attachment:
SharepointUserEnumeration-180528-FullDisclosure.pdf
Description: Adobe PDF document
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/