Microsoft Yammer API - Filter Bypass & Persistent Vulnerabilities (PoC Video Demonstration)

Editorial_Staff_Team's picture

MS Yammer API - Bypass & Persistent Vulnerabilities (PoC Video Demonstration)

After our pentests against the yammer social network we are able to provide a video after a patch has been successful implemented by the msrc team. The video is a live pentest session of the core team researcher ateeq ur rehman kahn in the microsoft yammer service. The demonstration video shows how to bypass the yammer api filter to execute own script codes on the application-side of the vulnerable yammer online-service. The issues has already been patched by the msrc team after a large documentation phase.

Microsoft Yammer Social Network Service seems to be vulnerable to multiple persistent script code injection web vulnerabilities. The exploitation of these vulnerabilities require a low or medium user interaction. Interesting enough, the exploits get triggered when the Yammer Desktop Application users interact with the Yammer Social Network Website.

To conduct the POC tests, the researcher created a valid network on the Yammer Social Network website, registered 2 user accounts and also downloaded and installed the Yammer Desktop Application, Latest build. Upon further testing, it was initially noticed that basic security checks are in place on Yammer website and malicious requests are being blocked / filtered in almost every input field however I was still able to find atleast two different fields in two separate modules of the Yammer website which are both vulnerable to persistent script code injection flaws.

The first vulnerable field is [department_name] under the User Edit Profile Section in My Home Network. An attacker can inject malicious script code into this particular field and wait for victims / unaware users to view the attacker profile using their Yammer Desktop Application Software.

The second vulnerable field is network[message_prompt] in Admin / Design and Configuration Module in External Networks. An attacker can inject malicious script code in the vulnerable field and wait for victims / unaware users to hover their mouse on over the Message Window for this particular exploit to get triggered.

The first bug initially discovered on the Yammer website was a self XSS which exists in the preview feature (when a user hovers the mouse over a profile name, a short preview window appears). All fields inside the preview window are editable and input sanatization is not being performed properly and hence are vulnerable to code injection. This gave the researcher much hope in conducting further in depth tests to analyze the application behaviour and find more vulnerabilities. As Self XSS is not considered as a security hazard, I have only provided references to it in the POC Video provided along with this advisory for your review.

The Yammer desktop application seems to be quite vulnerable. Using the app, the researcher was also able to find another Self XSS in the Topics feature. Reference is available in the POC Video provided along with this advisory. These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system.

Vulnerable Service(s):
                  		[+] Microsoft Yammer Social Network 
Vulnerable Application(s):
      	          		[+] Yammer Desktop Application - Latest Build - Q2 2013

Bug #1

Vulnerable Network(s):
                  		[+] My Home Network
Vulnerable Section(s):
                  		[+] Edit User Profile
Vulnerable Field(s):
                  		[+] [department_name]

Bug #2

Vulnerable Network(s):
                  		[+] External Networks
Vulnerable Section(s):
                  		[+] Admin - Design and Configuration 
Vulnerable Field(s):
                  		[+] network[message_prompt]

 

Microsoft Corp. Yammer (API) - Filter Bypass & Multiple Persistent Vulnerabilities

Video: http://www.vulnerability-lab.com/get_content.php?id=1330

Advisory: http://www.vulnerability-lab.com/get_content.php?id=976

Rate this article: 
Average: 5 (3 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.