Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Context IS Advisory - MS08-39 OWA XSS
From: Context IS - Disclosure <disclosure () contextis co uk>
Date: Thu, 10 Jul 2008 10:43:11 +0100

===============================ADVISORY===============================

Systems Affected:    Microsoft Outlook Web Access 2003 and 2007
                         (Exchange Server 2003 SP2, Exchange Server 2007,
                         Exchange Server 2007 SP1)
Severity:            High
Category:            Cross Site Scripting, Cross Site Request Forgery
Author:              Context Information Security Ltd
Reported to vendor:  10th January 2008
Advisory Issued:     10th July 2008

===============================ADVISORY===============================


Description
-----------

Several Cross Site Scripting vulnerabilities were found in within Outlook Web Access (OWA) 2003/2007.  An attacker can 
craft a malicious email which will trigger within a user's browser.  Different version of OWA and different clients 
(Light and Premium) have different attack vectors which can result in an attacker gaining *persistent* control over a 
victim's use of Outlook Web Access. An attacker would have full control and access to the victims e-mail account. This 
control could be further abused by utilising techniques such as JavaScript root-kits or web worms.


Analysis
--------

An attacker can craft a malicious email which contains the attack strings to compromise an OWA client.  The user would 
only need to view the email to be victim to the XSS attack. Furthermore, persistent XSS can be gained by changing 
certain values within OWA to a particular XSS attack string. This string (consisting of HTML/JavaScript) is 
subsequently injected into *any* page which uses this value, including "new email", "reply email" (for OWA 2003) and 
most pages (for OWA 2007).  Logging out of the application and back in will not clear the attack.  Furthermore, the 
attack can be propagated by using the control over the OWA client to email the attack link to all users in the victim's 
inbox/contacts.

At this point the attack would spread as a XSS worm (albeit one requiring the user to view the incoming email). This 
could potentially affect all users of the OWA application.


Technologies Affected
---------------------

Microsoft Exchange Server 2003
Microsoft Exchange Server 2007
Microsoft Exchange Server 2007 SP1


Vendor Response
---------------

On 9th July 2008, Microsoft issued a security bulletin MS08-039 and an associated patch for Exchange Server 2003 and 
Exchange Server 2007 SP1

Patches are available from:

http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx

Context would recommend that these patches be installed as soon as practical to all Exchange Servers providing OWA 
functionality.


CVE
---

This issue has been assigned CVE numbers CVE-2008-2247 and CVE-2008-2248.


Disclosure Timeline
-------------------

10 January 2008  - Initial Discovery and vendor notification.
14th January 2008 - Vendor response requesting further details.
14th March 2008 - Vendor response requesting PoC. PoC provided.
9th July 2008 - Vendor advisory release.
10th July 2008 - Context Information Security Ltd advisory release.


Credits
--------

Michael Jordon of Context Information Security Ltd


About Context Information Security
----------------------------------

Context Information Security Limited is a specialist information security consultancy based in London and Frankfurt. 
Context promotes the holistic approach to information security and helps clients to identify, assess and control their 
exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information 
security professionals who are subject-matter experts in their various technical specialism's.  Context works 
extensively within the finance, legal, defence and government sectors, delivering high-end information security 
projects to organisations for which security is a priority.

Web:            www.contextis.co.uk
Email:  disclosure () contextis co uk




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Context IS Advisory - MS08-39 OWA XSS Context IS - Disclosure (Jul 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]