XSS in OWA allows stealing windows domain user credentials Jul 05 2003 08:14PM
Hugo Vázquez Caramés (overclocking_a_la_abuela hotmail com)

-2 vulnerabilities in OWA.

-Vendor contacted

Microsoft Outlook Web Access comes with a feature that

allows script filtering on HTML formatted mail

attachments.It is possible for an attacker to make a

request in a particular way so that OWA does not filter

the attachment causing the script to execute. Be aware

that this is not the same issue of bid 3650 nor

bid 2832... In those attack scenarios the trick seemed

to be a special obfuscated script code that would

bypass the filtering protection of the OWA.

Our attack is based on the fact that it is possible to

force the OWA to not apply it's filtering engine.

Microsoft OWA allows the user to view an HTML formatted

attachment. The URL to access the attachment in this

way has a parameter (Security) that, if not

present in the query, will completely disable any kind

of script filtering. An attacker can trick an OWA user

to make such kind of request with a malicious link in

the body of the message (links are allowed). The

attacker needs to know the IP or the host name of the

Exchange server in order to succefully construct the

link, but all the info the attacker needs can easily be

obatined in te "Referer" header of an HTTP request from

a link in the message body of the vitim. So the attack

procedure will be:

1) a link in message body making a request to the

attacker's box will provide

him the info (in the referer) of the name/ip, etc of

the Exchange.

2) a link in the body of a new message will do the job

of calling for an

attachment without the script filtering feature.

Note: this attack is similar to our "XSS Antivirus

Bypass" of Hotmail:


Bad news are not the XSS, although it provides mail

access, session hijacking,etc... Bad news are that the

Cross Site Scripting present in the OWA allows the

attacker to automatically obtain the domain name,

username and password in of the victim.

The session tracking in the OWA uses cookies and "Basic

Auth", we do not know if there's also any kind of IP


The Basic Auth string is the name of the domain, the

username and password base64 encoded...so it is trivial

to decode it.How a to retrieve this info?

The OWA is over an Internet Information Server, wich,

by default, allows "TRACE" method in HTTP requests :-)

A javascript using ActiveX or extended XML can do a

TRACE http request, and send the response (wich has the

"Basic Auth" header content) to the attacker.

So it's important to notice that we are talking of 2


1) Javascript filtering bypass

2) User domain credentials retrieval

User domain credentials can not be encoded in this way


This practice is very dangerous, and any future Cross

Site Scripting in the OWA could be used to access those


Soon we will provide a proof of concept exploit to show

how this two vulnerabilities can be exploited toghether


Hugo Vázquez Caramés & Toni Cortés Martínez

Infohacking Team


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus