The road towards O365 bugs in Microsoft Office365

[Music] [Applause] [Music] and next we have asia with us asher is a security engineer with hyundai uh based in germany and ashore will walk you through the roads where office 35 bugs in microsoft office 365 i see that is a very interesting uh talk because most of the organizations definitely going towards you know from offline exchange servers to the office 365 and transitioning so really good talk on that one so hand over to archer actually you go there you go okay assalamu alaikum first of all uh good evening or good afternoon to everyone and before i will start my talk i would like to thanks to the organizer for having me or absolutely weekend time conference

it's a nice effort so let's start without wasting any time let's see how it goes so the road towards 365 bugs in microsoft office 365. so i think a few of you guys already know me uh from twitter my name is asher and i hold a doctorate degree from germany and i had a chance to speak at different conferences like black hat europe back in the box over apps but this time i feel very honored that i am first time i am speaking to a pakistani conference and my audience is like you guys from pakistan so it is a privilege right now so and in 2018 microsoft recognized me as a number one security researcher by given that i've

submitted so many bugs in microsoft offices 65 the same is the case with 2019 and 20. but nowadays like i am sort of taking a break asking my equity books a bit nicaragua just just just like a few months of uh no bug hunting so one more aspect that i will i'd love to find bugs in microsoft um microsoft he making such good thing about like why i'm only looking at microsoft why i'm not looking at other properties so there are many reasons for that and i would suggest you guys that look at this stock if you will have time a tour of office 365 was lower in shared point through the eyes of bug hunter

for example microsoft hunting participants so what type of experiences you will feel you will get everything in the stock so the slides are available online just uh you can write the name of the presentation you will find it so office 365 but nowadays microsoft call it microsoft 365. this is how it looks like like once you have a tenant set up because setting up all the tenant and how to how you can view this type of screen is not by not just any scope of this stock but once you have your own tenant set up you you definitely see something like that like it's an office 365 office.com is the url you can see outlook you can see one

drive you can see word excel powerpoint project to do power apps you can see everything here so it's a whole it's a whole new world finding a bug for me is like a challenging task uh why well why why i think like that right microsoft offices uh microsoft enjoys the manpower there are more than 3000 security researchers working for microsoft i'm not saying that they all are looking at office 365 but the point i wanted to make is that they have a manpower and believe me it's it's an honor to have like so many people looking at your properties uh from nine to five like you feel secure i because i also work for fortune top companies so

i had an experience that manpower really matters also microsoft claims that they follow like a security development life cycle like every step of the development cycle has uh security integrated into it and uh i don't know uh ncc group is a well-known pen testing group or security assessment group every year microsoft hires their services so that they can only pent us office 365. even i read the reports uh if someone will ask me like where the reports are available i can send the link on the twitter let's just dm me or just message me okay and the last but not the least like they have a public work monthly program no one is stopping you to participate in a

microsoft pack monty program anyone from anywhere in the world can participate at the comfort of his own couch so like year four factors and these are the factors that that sounds challenging like even they have a manpower they have a security integrated they have bhagavanti program even third party do company is doing assessment so it sounds challenging but the most important point like you get a feel that you are making an impact on million of companies because you cannot live without office 365. like every day when i go to the office i open outlook i i use word i use powerpoint the same i i assume the same is the case with you guys okay um

uh literally this is the name of the report that i when i send it to microsoft like all your power app portals are belong to us this bug is not public has not been presented at any conference has not been written in any blog in any presentation normally i used to show this book only during the my training that i offered around office 365 but uh just because of the on the b side i am i am releasing or i'm unveiling this part okay the microsoft rewarded me like eight thousand dollar for this bug okay i assume

that this book is available online i would say just read this book computer security gold man

one time you should go through this book your perspective about computer security will definitely change once you did and i i had the honor given i am in germany i had the honor that i i am his student i i did my master thesis and master project with mr goldman and i learned a network security application security software security all from him i took all the courses from this guide ago he's one of the elite in this field so please read this book this book is available online so before i show you the bug all your power app portals uh just like basic submission access control what is access control it is like authentication plus authorization

and normally in authentication we verify a user's identity while authorization revolves around the actions that the either the identity is performing an authorized or unauthorized action why i'm talking about access control you will you will see in a minute uh professor dieter goldman said the user identity is a parameter in access control decisions this is very important sentence the user identity is a parameter in access control dcs if you are a developer if you are making an application keep this thing in mind all the time okay the fundamental model of access control like there is a principle like an entity who wanted to perform some action on some object but these actions should be performed

under the umbrella under the guidance or under the monitor of like a person we call it like a guard or a reference monitor so this is how like a basic fundamental model of access control works what is idor because the bug that i am going to show revolves around access control that's why i show you the access control what is access control what is authorization what the authentication so idor is basically missing access control it's this is the simplest way to describe idr you can read a lot about id or some say that it's an unauthorized data some say that it's missing a search control you can read a lot of blogs on that you can even read a lot of bug reports

that are already public online okay as i show you jasmine office.com you can see it like that office.com many how how i find this bug okay this is how office this server looks like and among this you can see power apps okay once you click on the powerapps it brings you to a site called make.powerapps.com the funny part is that powerapps is not in a scope of microsoft bug bounty program okay but power apps is not in a scope but this scope is defined in a bug bounty program list the point is that just don't look only at the top level domain just see what request the domain is originating behind the scene so that's i started exploring this

website this is how it looks like the area of interest on this screen that you can see is portal from blank i click on that like a photo i'm going to explain like what what is my methodology how i how how i found this bug once you will see it looks easy because there is a saying that once the bug is there or once you saw it or once you read it it always looks easy but reaching to that point at the first place is always a difficult task okay once you click on portal for blank you will see a screen like that this is very important scheme people just blindly throw a vector at it

people don't bother to read it but i love reading documentation so that's why i was i i am successful in office because i i read the documentation i read the help documents how how to go through this okay on this dialog box what clicks in my mind by reading a sentence create a website to share data with external internal users this points click in my mind okay i immediately thought that these guys or this service is offering me to create a website if i'm an organization so that i can share the data with external users okay sounds cool but also one more thing to uh to look at it in a closely manner it's an address

field address field you see it's like uh yeah view you can enter any value and just like a by default it's power app portals but there is also one option that microsoft picks at random time i i show you later on the screen okay if you move on and let's assume that you have created a portal by using this dialog box you write a name xyz you write an address abc for example you select language and you click on the create okay on the next screen the url looks like that like make the power apps environment there is like an identifier and apps in the apps you can see a portal that you have just created

but once you select the portal there is a dialog box here it's like administration this is the area of interest for me this is how the administration looks like now now read the administration people don't bother to read these lines these lies are very important because this shows that if you will found a bug in that place you have more importance so this bug should have a more leverage for example in the administration if you read it see additional details and perform advanced portal actions like if you have a portal site that you wanted to share with external users and with this administration you can do a lot of cool stuff let's move forward as i told you

that by default microsoft uh shows you either powerapp.portals.com like you can control the static static part belongs to you like you can write abc xyz anything over there and or microsoft crms.com the funny thing is that both are not mentioned in the scope both are not explicitly mentioned in the microsoft cloud bug bounty program but okay still it's a game is just starting okay you have these websites i immediately thought out okay if i am creating a website on my tenant what is happening around the world it means that the people around the world are also creating their own websites uh maybe organizations are creating that's why i started using ops is a mass it's like an in-depth attack

surface like i i assume that if you are in bug hunting everyone knows about it hamas you can use it to explore the attack surface how many sub domains are there so i figured it out that around like 1700 sub domains that have like powerapp.portals.com or microsoft crm portals.com like in total i found out like 1700 domains different 1700 organizations in the world that are using office 365 i leverage this service and have their own website developed to for the external users okay this is good and once you go to the portal action this is the part that you can see once you are inside the administration section now look at the functionality here see what features you can do that you

can restart you can update you can get a public key you can reset a portal you can disable customer you can change a base url you can enable maintenance mode or this is just the user interface but what is happening behind the scene if i do if i try to perform one action for example this is how a post request looks like for custom errors now imagine we are setting in fact not imagine but we are sitting in power apps but look at the post request the post request is going to portal admin dash nam dos portal dash infra.dynamics.com dynamics.com is in scope they have a dedicated bug bounty program it means that even though from a user

perspective or from user interface you are in power apps but the requests that are going behind the scene to dynamics which is in scope and this end point is like where you can change the custom errors okay how the uh post parameters looks like this they have microsoft have like this request verification token they normally use it as a in dynamics they use it as like a csrf protection if you try to uh and i think they are doing good good in a way that if you try to reuse it your they stop you they stop you they try to stop you and you cannot easily see yourself at some other party but for me the interesting aspect is

this portal id the post parameter look at that there are two post parameters portal id and turn on like you wanted to turn on the custom error page or you wanted to turn off like turn on like true or false doesn't matter okay the portal id matter but this is id is not easy to guess it's not like that one two three four five six or like a three four digit number that you can easily brute force with any tool like burp or any other tool okay now the question that i asked to myself how you as an attacker can get the portal id or the 10x product id of the victim like the target if you go back to

like two slides i show you like 1700 websites 1700 websites are using this this crm boot or power app portals the point is that i wanted to see their ids what is their 10 product id and this is like a formula it's like a 32 bit number here it's a random number the answer you can find in the source code just open any of these 1700 domains just scroll through the source code and there is an inline script that is telling me the id the community portal has an id this one okay now it's easy we have the id of the victim okay now what i did okay before i show you a video proof of

concept i'll i i there is a video demonstration also uh there i wanted to show you some other requests like what what actions you can perform that's why i wrote the bug title all your power app portals are belong to us uh this endpoint is called set portal maintenance mode like you by leveraging this bug can bring any website into their own maintenance mode how they in the post request their standard product id you get it by going through their website that you found it from amaz pick the id and replace the id and the next thing this parameter is custom page url you can change me to any url like you wanted that during the maintenance mode they should

see some xyz website you can do that for example when you enable this feature this is how the site looks like website under maintenance also you can also see upload like portal certificates again in that case even though it's a post request but there is no post parameter the param the id is a part of the url simply change the url and this is how the result it ends up like that server error in an application you can also change the base url like you can even change the base url for example the portal name is abc you can change it to xyz and when someone tries to go to abc he will see a message like 404 website

not phone okay next if i go through let's watch this video it's like a three four minute video of this uh demonstration i hope this will work out okay in on the left side there is one canon i have set up two different tenants there are one tenant is like office six of training another thing is called microsoft bug bounty so on both you you see this is like i created a portal and in the settings part this is our interest like for example i assume this is the victim because i use two different accounts one is like a victim and this is as an example this is a website of the victim i set up this rough website for this

testing purpose the site is online and from the attacker i will bring the website down or i will redirect the website to some other page okay for example this is a victim you go to the source code you pick the user id because this is the id that you need it when you are using this id you are insecure direct object reference bar i will try to enable maintenance mode this is on the right side there is an attacker always set up two different accounts in fact these are two complete separate domains to complete setup for office 365. this is how the page looks like before i will bring this page down before i will redirect

oh sorry accesses of course if i am testing access is there definitely you will also see one more exercise as a part of this video

sorry for the video video quality if it's not good i will share the slides after next next week i will share the slides everything i will share

okay you can enable maintenance mode and like for example i want that this website victim website instead so when someone wants to open it it should redirect to google.com like when someone wanted to open this website it leads me to google.com okay this is how i sign up you sign a post request in the burp you simply change the tenant product id to the victim id that you pick it from by looking at the source code i also change it just to make sure i also change it as a part of referral header also the cookies and all the csr token everything belongs to you you no need to worry about that you just need an id

you just forward it

okay now if i go back to the website that i have already that i show you where you can also saw pop-up accesses oh there is one more exercise here so now uh i will go to the website that i have earlier and i will refresh the page and then you can see that this page victim page or victim site is no more available but it tries to redirect me to google.com but because google is using x frame option that's why it blocked in firefox so and next week at hack in the box cyber week i have the talk plan and i will and we learn one more bug that you guys will definitely be interested

in cross channel privacy leak in office 365 so for this uh you need to wait some time like i think next week the talk is scheduled and if you guys have any question anything you would like to ask me please feel free to contact me over twitter you can message me anytime and i'm not on discord i'm not using discord so feel free to send it to me directly or to the organizers and they will follow it to me and i would be happy to answer and i would be happy to help now i will say that okay because some uh i'm pakistani which uh those this talk so if you have any question i am available for the next 10 minutes

for any questions you i have