------------------------------------------------------------ - EXPL-A-2005-001 exploitlabs.com Advisory 030 - ------------------------------------------------------------ - Microsoft Outlook Web Access - OVERVIEW ======== A vulnerability in Microsoft Outlook Web Access allows malicious attackers to redirect the login to any URL they wish. This allows the attacker to force the user to the site of the attackers choosing enabling the attacker to use social engenering and phishing style of attacks. AFFECTED PRODUCTS ================= Microsoft Outlook Web Access ( OWA ) Windows 2003 DETAILS ======= By using specialy crafted URL an attacker can cause the user to be redirected to an arbitrary URL. ATTACK PROFILE ============== An attacker could gather known user email address for a company that uses OWA. By appending an obfuscated redirected url with a encoded url such as https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/ this will take the user to http://example.com when the login box is pressed. The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack. SOLUTION ======== Microsoft was contacted on Jan 20, 2005 NO patch has been produced to correct the vulnerability. They have issued the following: on Jan 21, 2005 ( see VENDOR RESPONSE ) This release is dated Jan 25, 2005 PROOF OF CONCEPT ================ 1. https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost] 2. https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost/file.exe] click "login" after injection into the form, the source reveals...