============================================================================ Foofus.net Security Advisory: foofus-20110610 ============================================================================ Title: Javascript Injection in Microsoft Lync Version: 4.0.7577.0 Vendor: Microsoft Release Date: 2010-06-10 Issue Status: Fix available ============================================================================ 1. Summary Microsoft Lync version 4.0.7577.0 is vulnerable to a javascript injection vulnerability. 2. Description Javascript commands can be stacked within the url in the "reachLocale" variable in ReachJoin.aspx. Arbitrary javascript can be inserted, with some restrictions (notably that characters such as ">" will invoke .NET security protections and cause the page to fail to display) 3. Proof of Concept The following URL will load an image in a new window or tab, as well as display an alert with arbitrary content: https://[target]/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29// Pop-ups will need to be enabled in order to load a new tab, but this can be circumvented by social engineering (i.e. a dialog box) or possibly by more clever javascript insertion. 4. Impact Exploiting this attack allows an adversary to inject most types of Javascript into the page and in order to execute client-side attacks or perform social engineering attacks. These attacks can easily be manipulated to compromise a target workstation. 5. Affected Products Only version 4.0.7577.0 has been tested. This vulnerability may exist in other versions. 6. Solution According to Microsoft, the vulnerability can be resolved by updating with the "update package for Lync Server 2010, Web Components Server: April 2011" at http://support.microsoft.com/kb/2500441 7. Timetable 2011-05-31 Advisory written and submitted to Microsoft 2011-05-31 Vendor confirms receipt of advisory 2011-06-10 Vendor confirms vulnerability, advises availability of patch 2011-06-10 Disclosure 8. Reference http://www.foofus.net/?p=363 9. Credits bede@foofus.net (Mark Lachniet)