Microsoft Teams Webinar Vulnerable to CSV Injection Vulnerability

By -

 Dear reader,

While testing different features of TEAMS, I find out a CSV injection vulnerability in TEAMS Webinar feature, where any external user, or attacker can register himself for attending public webinar and in webinar registration page he can inject a malicious payload which will executed once the admin download the attendees list.

As per Microsoft they are not accepting it as high/medium security bug (which I totally Disagree) and not eligible for bounty or hall of fame, also they provided the permission to disclose this publicly. 

As per Microsoft the admin has to click enable button once he open the report. For which I mentioned them multiple times that admin will always trust the report as its coming from Trusted source which in this case is Microsoft and 95% of times he will click on Enable button and payload will be executed.

Anyways lets start with the Vulnerability details, At the end of this document I will give a bonus trick on how to find publicly available webinars which can be exploited using this vulnerability. 

=======================Vulnerability Details=======================

Admin Side

To create and test the vulnerability locally, please follow below admin steps:

1. Initiate the webinar from Microsoft Teams.

2. Click on Custom registration Form.

3. Create Custom questions in the form or select the organization Field in the Form

4. Submit the Form.


Attacker Side

Below are the Steps to exploit the CSV injection.

1. Open the newly created registration Form in browser

2. Fill in your name email

3. In Organization or any custom question, input your csv injection payload. For test case I just put a test payload which will open the Calculator on admin system


4. Click on register button. Now your payload is submitted to the admin


Once the webinar ends, admin download and open the attendee list from TEAMS the CSV file will ask for ENABLED / Disable, As most of the time the webinar admins are non technical they will click on enable button as they trust the source of downloaded file. This will lead to payload execution.


above image shows that admin download the registered user list.


Above image shows that opening the downloaded file leads to payload execution.

=======================End of Vulnerability Details=======================

Findings publicly available webinars are very easy using below tricks

1. Google Dork: inurl:"teams.microsoft.com/registration/"

at a time of writing this article there are 120 webinars available which can be exploited.



2. Linkedin: Just search for: teams.microsoft.com/registration/
you will find multiple webinars

3. Facebook: Just search for: teams.microsoft.com/registration/
you will find multiple webinars

=========================================================

Below is the confirmation email from Microsoft team.


Happy Hunting :)

Comments

Post a Comment

Popular posts from this blog

GRANDING UTime Master - IDOR (CVE-2023-45393)

By -
Image
  Hi All, I was able to identify IDOR Vulnerability in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ).  CVE ID: CVE-2023-45393 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Using IDOR any user of the application can fetch Logs which are only meant to be accessible to administrators only. These logs also contains sensitive information like user password which is used to do the attendance by employees. Login to UTime Master using any account. Capture the request in burpsuite with the valid cookies. modify the URL to "/base/adminlog/table/?page=1&limit=200" Forward the request and it will fetch all the admin logs. IDOR has been fixed in latest versions after 9.0.7-Build:Apr 4,2023.
Read more

GRANDING UTime Master - Stored XSS (CVE-2023-45391)

By -
Image
  Hi All, I was able to identify stored XSS in one online attendance system i.e. GRANDING UTime Master (v  UTime Master_9.0.7-Build:Apr 4,2023 ). CVE ID: CVE-2023-45391 UTime Master is a powerful web-based time and attendance management software that provides a stable connection to GRANDING’s standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to offer employee self-service by mobile application and web browser. Login to UTime Master using admin account Click on Personnel > Employee Management >Employee Select Any employee or create a new employee In First name Section embed you payload. For test case I used "/><img src=a onerror=alert(22)> XSS payload embedded in EMP NAME field. Save the employee details, Once the page refreshed it will execute your payload. our payload executed successfully. I have also observed multiple other fields are also vulnerable to XSS e.g. Device Name, Department etc. XSS has been fixed in la
Read more

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef
Read more