Seeker Research Center Security Advisory

This vulnerability was discovered by Seeker(r) Automatic Run-Time
Application Security Testing Solution
Disclosed By Irene Abezgauz, September 13th, 2011

=========
I. Overview

An Insecure Redirect vulnerability has been identified in Microsoft
SharePoint shared infrastructure. This vulnerability allows an attacker
to craft links that contain redirects to malicious sites in the source
parameter used throughout SharePoint portal.

The exploitation technique detailed in this document bypasses the cross
application redirection restriction which normally limits such redirects
restricting access to external sites.

A friendly formatted version of this advisory is available at:
http://www.seekersec.com/Advisories/SeekerAdvMS03.html

=======
II. Details

Multiple pages and components in Microsoft Sharepoint use the source
parameter to redirect users to a new location after accessing a certain
page, such as:
POST
/Docs/Lists/Announcements/NewForm.aspx?Source=http%3a%2f%2f127.0.0.1%2fD
ocs%2fdefault.aspx
In order to avoid cross application redirects (which pose a threat to
the system), Microsoft Sharepoint enforces checks on these redirects,
and limits them to localhost or 127.0.0.1, or the SharePoint server IP
(the IP redirect is only valid if the redirect is to an actual
SharePoint page on the server, redirects to localhost or 127.0.0.1 will
work regardless of existence of relevant page).
The implementation of this verification, however, is flawed, and can be
circumvented by creating hostnames which begin with the string
localhost, or 127.0.0.1 even if they are not localhost.
Due to domain naming restrictions the 127.0.0.1 prefix cannot be used in
exploitation, as http://127.0.0.1.seekersec.com is not a valid domain
name - subdomain names cannot be digits only. However, redirects to
http://localhost.seekersec.com or http://localhostie.seekersec.com are
valid. The following prefixes can be provided into the Source parameter
to exploit this vulnerability:
localhostaaa, localhost.seekersec.com, etc.
An attacker can generate an attack by creating a site containing
localhost in its name, and crafting a URL which embeds into the source
parameter a link that lead to sites outside the current application.
Once a victim follows the specially crafted link he indeed arrives at
the selected page of the vulnerable SharePoint application. Once the
page operation is completed, the user will be redirected to the URL in
the source parameter.

========
III. Exploit

Sample exploitation of this vulnerability would be crafting the
following link:
http://MySharePoint/Docs/Lists/Announcements/NewForm.aspx?Source=http%3a
%2f%2flocalhost.seekersec.com
It is important to note that in many situations, even if the application
does not use the source parameter by default, this parameter can be
added manually to the URL, leading to exploitation of this
vulnerability.

================
IV. Affected Systems

Microsoft SharePoint 2007
Microsoft SharePoint 2010

========
V. Solution

Microsoft has released a fix for this vulnerability, see
http://technet.microsoft.com/security/bulletin/MS11-074 for further
information.

=======
VI. Credit

The vulnerability was automatically discovered by Seeker(r) - New
generation application security testing solution, utilizing ground
breaking BRITE(tm) technology (Behavioral Runtime Intelligent Testing
Engine).
Further research and publication was performed by Irene Abezgauz,
Product Manager, Seeker Security.
For more information please visit www.seekersec.com

Irene Abezgauz
Product Manager
Seeker Security
www.seekersec.com
E-Mail: [email protected]