<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]



I found and reported this back in 2005/2006. Microsoft told me that it
had been reported previously and that it would be fixed in the next
release, which I'm guessing they meant 2007. I do not know if they
have fixed it in Exchange 2007.

On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
<piergiorgio@xxxxxxxxxxx> wrote:
> Hi all,
> also I've found this vulnerability 1 year ago during a pt and work fine
> with url obfuscation. I've read that with owa 2007 this vulnerability is
> patched but I don't have tried yet.
>
> Best regards,
> Piergiorgio
>
>
> Giuseppe Gottardi ha scritto:
>> Davide, let me comfort you...
>>
>> I found this vulnerability 1 year ago during a penetration test
>> activity and I never reported before for my negligence :-)
>>
>> https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0
>>
>> Best regards,
>> oveRet
>>
>>
>> On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote:
>> Hi,
>>
>>> I found and notified this vulnerability to Microsoft in date:
>>>
>>> Tue, 10 Apr 2007 15:40:13 +0200
>>>
>>> You read exactly, April 2007, 1 year and 6 months ago. :(
>>>
>>> The Microsoft Security Response Center opened the case ID MSRC 7368br.
>>>
>>> The bug has never been patched since 1 year and 6 months.
>>> I asked time to time for updates but they always answered me that the
>>> bug had to be patched with the next Service Pack and they did not have
>>> any ETA.
>>>
>>> This SP has still to be released.
>>>
>>> They told me that if I released the vulnerability prior to the official
>>> patch, I could not be officially credited for that. I tought it was not
>>> a critical vuln, and so I waited. Too much (?).
>>>
>>> I am a bit sorry for Microsoft, I think they lost an other chance since
>>> now I feel a bit tricked. I am not sure if the next time I will wait so
>>> much and I am not sure if I will suggest to anyone to wait for the
>>> patch. I just hope Microsoft will credit me in the official patch. :(
>>>
>>> Below you can find the first mail I wrote to MS regarding the issue.
>>>
>>> Best regards,
>>>
>>> Davide Del Vecchio.
>>>
>>>
>>> From: "Davide Del Vecchio" <dante@xxxxxxxxxxxxx>
>>> To: secure@xxxxxxxxxxxxx
>>>
>>> Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness
>>> Date: Tue, 10 Apr 2007 15:40:13 +0200
>>>
>>> Hello,
>>>
>>> I found a weakness in Microsoft Outlook Web Access (OWA), which
>>> potentially can be exploited by malicious people to conduct phishing
>>> attacks.
>>> The weakness is caused due to a design error in the way OWA uses an
>>> unverified user supplied argument to redirect a user after successful
>>> authentication.
>>> This can e.g. be exploited by tricking a user into following a link from
>>> a HTML document to the trusted login page with a malicious "url" parameter.
>>> After successful authentication, the user will be redirected to the
>>> untrusted (fake) site.
>>>
>>> The affected product is:
>>> Microsoft Outlook Web Access ( OWA )
>>> Windows 2003
>>>
>>> Examples:
>>> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com
>>>
>>> this will take the user to http://www.example.com when the login box
>>> is pressed.
>>>
>>> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
>>> prompts the user to download an executable or other file.
>>>
>>> The attacker can then have a page to capture the user / password
>>> and redirect back to the original login page or some other form of
>>> phishing attack.
>>>
>>> Note that this vulnerability is very similar to the one affecting
>>> "owalogin.asp" described here:
>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420
>>>
>>> Best regards,
>>>
>>> Davide Del Vecchio.
>>>
>>> Martin Suess ha scritto:
>>>
>>> ...
>>>
>>>
>>>> Timeline:
>>>> ---------
>>>> Vendor Status:      MSRC tracking case closed
>>>> Vendor Notified:    March 31st 2008
>>>> Vendor Response:    May 6th 2008
>>>> Advisory Release:   October 15th 2008
>>>> Patch available:    - (vulnerability not high priority)
>>>>
>>>
>>
>>
>>
>
>
> --
> +----------------------------------------------------------------------+
> | Ing. Piergiorgio Venuti, CCSP                                        |
> | 0x5ECFE022     -    B44B C817 3793 C7C7 2734 F898 DE03 8961 5ECF E022|
> +----------------------------------------------------------------------+
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>