#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Power BI Report Server [1]
# Vendor: Microsoft
# CSNC ID: CSNC-2022-007
# CVE ID: CVE-2021-41372
# Subject: Cross-Site Scripting (XSS) [2]
and Cross-Site Request Forgery (CSRF) [3]
# Risk: High
# Effect: Remotely exploitable
# Author: Emanuele Barbeno (advisories@compass-security.com)
# Date: 02.05.2022
#
#############################################################
Introduction:
-------------
Power BI Report Server is part of the Microsoft Power Platform and is an
on-premesis solution for companies that won't or can't store data in the
cloud-based Power BI Service.
This software is used to turn unrelated sources of data into coherent,
visually immersive, and interactive insights. Data may be input by reading
directly from a database, webpage, or structured files such as spreadsheets,
CSV, XML, and JSON.
Affected:
---------
Vulnerable:
* 15.0.1107.146
Not Vulnerable:
* 15.0.1107.165 (KB5007903)
Technical Description
---------------------
The user's input data is not properly encoded when being echoed back to the
user. Therefore, this data can be interpreted as executable code by the
browser and allows an attacker to execute JavaScript code in the context of
the victim's browser if the victim opens a malicious link.
Furthermore, the tested version fails to validate anti-CSRF tokens, thus this
vulnerability can be exploited by an external attacker hosting a specific HTML
code on a malicious website on the Internet.
First, a valid template file is required. This can be downloaded from an already
uploaded Power BI report (by clicking on the 3 dots on the top right corner of
the selected template and then click on the Download drop down menu option) or
from the Internet (e.g. https://zebrabi.com/income-statement-power-bi-template/).
A file with the pbix extension is downloaded. Using WinZip, it is possible to
extract its content and modify the "[Content_Types].xml" file adding the "html"
extension as follows (4th line):
```
```
Then create a new file named xss.html with the following content inside the
"Report/StaticResources/RegisteredResources" folder:
```
```
It is now possible to create the updated pbix file using the following command:
```
$ zip -r test.pbix *
```
And upload it to the Power BI Report Server by clicking on the Upload button
in the web interface. A new PowerBI report should be automatically added inside
the current folder.
When opened inside the PowerBI web interface, one of the requests sent to the
backend should containing the "RegisteredResources" string in the path
(for example, http:///powerbi/api/explore/resourcePackageItem/9b3db864-e628-4ec9-b3c2-ae2d4ec8135b/RegisteredResources/webinar-home-pagebackground9453047756543702.png).
It is possible to refence the uploaded "xss.html" file created before by changing
the referenced file inside the URL as shown in the following HTTP request:
```
GET /powerbi/api/explore/resourcePackageItem/9b3db864-e628-4ec9-b3c2-
ae2d4ec8135b/RegisteredResources/xss.html HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http:///powerbi
ActivityId: 308b608a-fa60-6d72-fc19-ddb78d081bc0
RequestId: b4c26e23-ee63-9ed6-5a3f-f3d3bc306393
X-PowerBI-ResourceKey: any
X-SSRS-ClientSessionId: fd99303b-c67e-20a0-26f0-07f584ad0665
Connection: Keep-Alive
Cookie: ai_user=sMsgC|2021-06-29T06:57:46.592Z
```
The HTTP Response contains the XSS payload and the content-type is set to text/html,
thus the malicious JavaScript code is executed on the user's browsers:
```
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache
Content-Length: 63
Content-Type: text/html
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 29 Jun 2021 13:27:28 GMT
```
Because the upload template functionality does not correctly validate anti-CSRF tokens,
the following PoC can be used to create a new PowerBI report in the TEAM1 folder with name
ZebraBI_Income-xxe using a CSRF attack:
```
```
Workaround / Fix:
-----------------
Dangerous characters should be encoded on output according to the encoding
rules of the respective type of context. The whole code should be analyzed for
it and updated accordingly. For regular HTML body content, use HTML encoding [4]:
* < -> <
* > -> >
* " -> "
* ' -> '
* & -> &
Furthermore, the application should include a random token, which changes for each
user session. If a request is received by the server, which does not include
the correct token, it should be rejected by the server. [5]
Timeline:
---------
2021-08-10: Discovery by Emanuele Barbeno
2021-08-11: Initial vendor notification
2021-08-12: Initial vendor response
2021-11-09: Assigned CVE-2021-41372
2022-05-02: Public disclosure
References:
-----------
[1] https://powerbi.microsoft.com/en-us/report-server/
[2] https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
[3] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
[4] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
[5] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html