------------------------------------------------------------ - EXPL-A-2005-001 exploitlabs.com Advisory 030 - ------------------------------------------------------------ - Microsoft Outlook Web Access - OVERVIEW ======== A vulnerability in Microsoft Outlook Web Access allows malicious attackers to redirect the login to any URL they wish. This allows the attacker to force the user to the site of the attackers choosing enabling the attacker to use social engenering and phishing style of attacks. AFFECTED PRODUCTS ================= Microsoft Outlook Web Access ( OWA ) Windows 2003 DETAILS ======= By using specialy crafted URL an attacker can cause the user to be redirected to an arbitrary URL. ATTACK PROFILE ============== An attacker could gather known user email address for a company that uses OWA. By appending an obfuscated redirected url with a encoded url such as https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/ this will take the user to http://example.com when the login box is pressed. The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack. SOLUTION ======== Microsoft was contacted on Jan 20, 2005 NO patch has been produced to correct the vulnerability. They have issued the following: on Jan 21, 2005 ( see VENDOR RESPONSE ) This release is dated Jan 25, 2005 PROOF OF CONCEPT ================ 1. https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost] 2. https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost/file.exe] click "login" after injection into the form, the source reveals...

note: the [otherhost] may easily be obfuscated so as to not alarm the targeted user(s) such as https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/ ( http://example.com ) notes: example 1 redirects the user to a url of the attackers choosing. example 2 prompts the user to download an executable or other file. this could be used in conjunction with the aforementioned attack scenario. CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs.com Donnie Werner se_cur_ity@hotmail.com morning_wood@zone-h.org -- Web: http://exploitlabs.com http://zone-h.org VENDOR RESPONSE =============== researcher inital: ------------------ Dear Microsoft, The following discusses a potential security vulnerability affecting one of your products. We are bringing it to your attention in order to assist you in investigating it and determining the appropriate actions, and have provided preliminary information about the potential vulnerability below. Please read our disclosure policy, available at http://www.exploitlabs.com/disclosure-policy.html if you have any questions. Please confirm using the contact information I have provided below that you have received this note. We look forward to working with you, Exploitlabs Research Team Donnie Werner se_cur_ity@hotmail.com vendor response 1 ----------------- Hello Donnie, Thanks very much for contacting us. We have investigated reports of this behavior in the past and plan to fix it in the next major release of Exchange. Please let me know if you have further questions. Thanks, Christopher, CISSP researcher initial 2 -------------------- Christopher, when is the "next major release of Exchange" due? I think it may be in the interest of admins to know this flaw exists, and to possibly alert thier users of potential phishing attacks and to help secure their systems. Exchange 2003 OWA is used extensivly in corporate environments, where this flaw will have the most impact being this is a moderate remote threat, this researcher feels that PUBLIC FULL DISCLOSURE is needed. possibly MS would be willing to issue a statement to the public regarding this issue at this time. regards, Donnie Werner ( no fancy letters ) vendor response 2 ----------------- (none)