Microsoft education remote code execution

Ruler_Microsoft_Education_Partner

A couple months ago, I found the time to hunt some bugs. I didn’t feel like hunting big programs like Facebook, or Google services, but I recently discovered that Microsoft also launched a bug bounty program so I decided to have a look there. I actually wanted to research on one of their sites that is eligible  for a monetary reward, just to challenge myself.

One way or another however, I ended up on a Microsoft subdomain  education.microsoft.com and it seemed pretty secure at first.
There was xss protection on all inputs, and csrf tokens were in place.

I then discovered a feature to build my own course page, the editor looked a bit like these website builders, it seemed a cool target so I started fiddling with it.

 

It didn’t take long before the first stored XSS popped up.
There were several stored xss, but this one was the most trivial.
I simply put a javascript:alert(‘xss’); in the URL field, and bet what?

b
It worked!

And if you find an xss that is this simple, you know there is more,  so I quitted searching for this low hanging fruit, and started to search for some upload functions. Hoping for an RCE.
It didn’t take long before I found an image uploader, and well, it turned out to be an arbitrary file uploader, since I could upload anything, but… the uploaded files are stored somewhere on the server and I wasn’t able to find out where.
I tought I should just give up here because I tought they’d use the same code to handle all the uploads (Which would be a logical thing if two upload functions are on the same page.).

So I was a little bit like:

But I wanted to be sure, so I looked for another upload functionlity.
I found out I could upload videos, and that’s where it got interesting.

I uploaded a file, video.php, and got the following screen:

hrthth

It’s stating that the mime-type of the uploaded file was not supported.
But I just couldn’t believe…
Somehow-I-DOUBT-IT-meme-12343

 

I looked at the source and saw the link to a php file.
YAY.
Well This could turn out to be nothing but hey, you’ve read the title so you know how it goes from here. 😉

 

yjyj

I pasted the link in my browser and BOOM! I got the PHP file presented that I uploaded.

lololoo

I reported it to Microsoft the same day, and it was accepted.
The patch took a while, but the report was greatly appreciated.
I did not receive any bounty for this, as it was out of scope, but I did get a notification on the Microsoft security researcher acknowledgment page for April.

 

2 Comments

Add yours →

  1. this is a aspx site man, your php files are not executed.

    • Hey,

      This is not true.
      ASPX files run on IIS servers which do support PHP.
      Even if PHP was not enabled on the server, achieving RCE would have been simple anyway since I could upload any possible file.

      Kieran

Leave a Reply