See how do I find Microsoft Outlook for Android mobile application XSS vulnerability-vulnerability warning-the black bar safety net

!
Share today It’s about the Outlook for Andriod storage typeXSSvulnerability, the author through a friend sent technology mail by chance discovered the vulnerability, after months of reproducing the structure, eventually Microsoft acknowledged the vulnerability, CVE-2019-1105-in.
Vulnerability found the reason
By the end of 2018 when a friend of mine email please I help analysis in his study of some JavaScript code, although I don’t do vulnerability discovery, but he sent me a message on my phone showed some weird stuff. My phone is Android system, the following is implicit to the sender information of the message display screenshot:
! [](/Article/UploadPic/2019-7/2019718175542898. png)
The gray border look a little exotic flower. When I analysis found. This is probably the Which JavaScript contains an HTML form in the iframe, the iframe in the parse, the mobile application can’t properly display the presentation. But suspicious is, when I use the laptop to open mail, the entire analysis is normal, as shown below:
! [](/Article/UploadPic/2019-7/2019718175542532. png)
It makes me think there is a problem: in the message embedded in the iframe frame may be a vulnerability, this May and I on the phone of the Outlook application. On the Outlook, the comparison of the pull is that the iframe is not blocked the external images settings BlockExternalImages impact, however, if an attacker has the ability to in the mail implants can run JavaScript code, that will is a dangerous security threat.
BlockExternalImages: Outlook for iOS/Andriod in the security settings, BlockExternalImages when set to true will enable to prevent external image.
In view of this, in order to verify my guess, I tried in the email into the script the label tag instead of the iframe frame, but no. However, I found that you can by in the iframe to use the JavaScript URL, we can construct a bypass this limitation of the method, which is very interesting.
By e-mail to achieve the storage-typeXSS, a Stored [XSS](<http://www.myhack58.com/Article/html/3/7/Article_007_1.htm&gt; the)
Typically, in a Web browser, via javascript:so the syntax forms to invoke a URL, but due to same origin policy restrictions, a separate domain under the iframe in the JavaScript is not on the page of the other data access acquisition. In Outlook for Andriod applications, but there is no such restriction, I configuration of frame iframe in the JavaScript can I user a cookie, token or other message to initiate a visit, not only that, but also be able to put these information back to the attacker’s remote control terminal, Khan…the.
This security is quite terrible, to realize the exploit, an attacker simply sends a packet containing the structure of the JavaScript code in the mail to the victim, the victim with Outlook open you will be caught. Normally, the Outlook of some of the unsafe syntax semantic filtering escape, but since the structure of the JavaScript code is in the iframe frame, the Outlook of the service end will not be detected found, so when the mail transfer after the delivery, the Outlook client will not perform its filtered escaped, eventually, included in the iframe in the JavaScript in the client mobile device on a successful run. This is what we mean by storage typeXSS, a Stored XSS, this type of vulnerability, the risks great, the attacker can use it to achieve a variety of purposes, including stealing information and return the data. The attacker just to the victims, sent a letter structure of a good email, when victim read, it can steal victim’s Cookies, other e-mail or personal data and other sensitive information. Serious point, this present in the Mail reading client Stored XSSmay be the weaponization of distributed deployment, resulting in large-scale worm, or malicious software the way of the destruction of the infection.
Vulnerability reported after the reproduction history
I think this is a big problem, the urgent need for Microsoft to aspects of known. Thus, for the exploit, I made a short PoC, it will execute a piece of arbitrary external scripts to steal and return sensitive personal information, due to the exploit structure is not deep enough, which is not too much on the message data access the show. I’ll take this PoC to the Microsoft security team.
About the vulnerability, I really don’t know raises the vulnerability of the source code where, because I don’t have Outlook program source code, and I basic no debugging, mobile application experience, but I’d like to send personnel to see this PoC should be able to understand.
But unfortunately, the Microsoft security team had to reproduce not the vulnerability, I also fell into embarrassment and dilemma, but this is obviously true of Ah, I went to the Microsoft security team issued a section I’m exploit to reproduce the video, after I learned there is a security researcher also reported the vulnerability, but according to the POC, the Microsoft security team still didn’t success to reproduce it.
In order to confirm whether it is Outlook Settings there is a difference the cause, I also carried out some tests, but haven’t found the problem, it seems that this vulnerability to be cool anymore.
Microsoft: you cannot reproduce it does not count vulnerability
Each security engineers and developers will tell you, can not reproduce the bug is a headache, their time to the enterprise to say is a valuable and limited resource. Vendor security teams can spend a lot of energy to reproduce a bug, the final inference is that if they can’t successfully reproduce the vulnerability, then the attacker is also unlikely to be successfully reproduced and utilized. So from this point, the vendors security team will try to put the responsibility on to the reported vulnerability, the security researcher who they hope is as easy as possible to reproduce and confirm the reported way.
Breakthrough
I can’t stop until, a few months after, this vulnerability is still a piece of my heart, how can let the Microsoft security team been able to confirm is a difficulty. For this reason, I think from the Outlook application to extract the HTML to load the contents of the method, after I realized that this extraction method may be that vulnerability itself is the problem now! I was able from the Outlook applications to steal data, but also it means I can use it to read and load the HTML content. Thus, the combination of this point, I constructed a new Payload, with the following implementation results:

[1] [2] next