'Self-XSS' flaw in found Microsoft Dynamics CRM

Information security company High-Tech Bridge unveiled a security report documenting the flaw.
Written by Charlie Osborne, Contributing Writer

A flaw discovered in Microsoft's Dynamics CRM could allow remote hackers to trick a logged-in user into inserting malicious code within input fields on vulnerable websites.

Information security company High-Tech Bridge recently unveiled a security report documenting the flaw. According to the firm's security team, while the risk factor of the flaw can be considered low, its existence is still serious. The DOM-based "self-XSS" vulnerability was discovered in Microsoft Dynamics CRM 2013 SP1, which can be exploited to perform cross-site scripting attacks against authentic users of websites.

The vulnerability exists due to "insufficient filtration" of user-supplied input passed to the "/Biz/Users/AddUsers/SelectUsersPage.aspx" following a failed attempt to send an XML SOAP request by a user. A remote attacker therefore has an avenue to theoretically trick a user logged in to the service into inputting malicious HTML and script code into the "newUsers_ledit" field, before the code is executed in a user's browser.

But how would an attacker trick a user into this act? According to High-Tech Bridge, simple social engineering tactics could trick a user into copying 'legitimate' text from a pre-prepared malicious page to a user's clipboard, before being pasted into a vulnerable webpage.

Simple exploit code below will display a legitimate text to the user but replace the text copied to a user's clipboard with exploit code, as shown below:


The victim sees the following text in the browser: HIDDEN USERS&&DISPLAY

However, the script will copy and paste the following malicious payload:


Microsoft itself does not recognise the self-XSS issues found in its Dynamics CRM, which is used by the US government, as a vulnerability. A Microsoft spokesperson told ZDNet:

"We do not consider this a security vulnerability as it requires the use of social engineering to convince an authenticated user to enter some specific malicious code -- in this instance putting it into a field on the Dynamics CRM application. We recommend that our customers always exercise caution when accepting content from untrusted sources."

However, the security firm believes this issue is a security problem given the rise of self-XSS campaigns last year, and suggests users block access to the vulnerable script WAF or web server configuration as a temporary fix.

Ilia Kolocheno, CEO of High-Tech Bridge commented:

"Taking into consideration that same vulnerabilities were actively and successfully exploited by hackers in 2014, this XSS vulnerability is pretty serious, despite the "low" category we assigned due to this being a relatively complex exploitation. I think that Microsoft's decision not to patch the vulnerability is wrong as, regardless of their general policy, they should think about their customers' security first and foremost.

Such vulnerabilities could potentially be ignored in the past, but not in 2015, especially in such popular and sensitive products as Dynamics CRM."

To watch a video of how High-Tech Bridge exploited this vulnerability click here.

Read on: In the world of security

Editorial standards