Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]

From: "Elazar Broad" <elazar () hushmail com>
Date: Sat, 15 Nov 2008 20:26:45 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A quick test of OWA 2007 shows that it is not vulnerable...

On Sat, 15 Nov 2008 11:36:26 -0500 Micheal Cottingham
<techie.micheal () gmail com> wrote:

I found and reported this back in 2005/2006. Microsoft told me
that it
had been reported previously and that it would be fixed in the
next
release, which I'm guessing they meant 2007. I do not know if they
have fixed it in Exchange 2007.

On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
<piergiorgio () gigasec org> wrote:

Hi all,
also I've found this vulnerability 1 year ago during a pt and

work fine

with url obfuscation. I've read that with owa 2007 this

vulnerability is

patched but I don't have tried yet.

Best regards,
Piergiorgio


Giuseppe Gottardi ha scritto:

Davide, let me comfort you...

I found this vulnerability 1 year ago during a penetration test
activity and I never reported before for my negligence :-)



https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.as
p%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0


Best regards,
oveRet


On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote:
Hi,


I found and notified this vulnerability to Microsoft in date:

Tue, 10 Apr 2007 15:40:13 +0200

You read exactly, April 2007, 1 year and 6 months ago. :(

The Microsoft Security Response Center opened the case ID MSRC

7368br.


The bug has never been patched since 1 year and 6 months.
I asked time to time for updates but they always answered me

that the

bug had to be patched with the next Service Pack and they did

not have

any ETA.

This SP has still to be released.

They told me that if I released the vulnerability prior to the

official

patch, I could not be officially credited for that. I tought

it was not

a critical vuln, and so I waited. Too much (?).

I am a bit sorry for Microsoft, I think they lost an other

chance since

now I feel a bit tricked. I am not sure if the next time I

will wait so

much and I am not sure if I will suggest to anyone to wait for

the

patch. I just hope Microsoft will credit me in the official

patch. :(


Below you can find the first mail I wrote to MS regarding the

issue.


Best regards,

Davide Del Vecchio.


From: "Davide Del Vecchio" <dante () alighieri org>
To: secure () microsoft com

Subject: Microsoft Outlook Web Access "redir.asp" Redirection

Weakness

Date: Tue, 10 Apr 2007 15:40:13 +0200

Hello,

I found a weakness in Microsoft Outlook Web Access (OWA),

which

potentially can be exploited by malicious people to conduct

phishing

attacks.
The weakness is caused due to a design error in the way OWA

uses an

unverified user supplied argument to redirect a user after

successful

authentication.
This can e.g. be exploited by tricking a user into following a

link from

a HTML document to the trusted login page with a malicious

"url" parameter.

After successful authentication, the user will be redirected

to the

untrusted (fake) site.

The affected product is:
Microsoft Outlook Web Access ( OWA )
Windows 2003

Examples:
https://[owa-

url]/exchweb/bin/redir.asp?URL=http://www.example.com


this will take the user to http://www.example.com when the

login box

is pressed.

https://[owa-

url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe

prompts the user to download an executable or other file.

The attacker can then have a page to capture the user /

password

and redirect back to the original login page or some other

form of

phishing attack.

Note that this vulnerability is very similar to the one

affecting

"owalogin.asp" described here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420

Best regards,

Davide Del Vecchio.

Martin Suess ha scritto:

...



Timeline:
---------
Vendor Status:      MSRC tracking case closed
Vendor Notified:    March 31st 2008
Vendor Response:    May 6th 2008
Advisory Release:   October 15th 2008
Patch available:    - (vulnerability not high priority)










--
+----------------------------------------------------------------

------+

| Ing. Piergiorgio Venuti, CCSP

     |

| 0x5ECFE022     -    B44B C817 3793 C7C7 2734 F898 DE03 8961

5ECF E022|

+----------------------------------------------------------------

------+


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkkfdtUACgkQi04xwClgpZj1/gP/VtLOffJOWpY5N8Kn7dmxWmQvUwcE
bMr95/K38W+ied5X7apy2Ia+jtpgX8d5A0BcO4qga22bcRB90VDTaG0+/cTsylhq1E0M
kfRLs5kJz5As+gAXv28G2sQ8plIDsGkA2eo9dERiuYpH6fvdVnEC3z0B1DnHTcN8mM+G
CE+62tc=
=7suT
-----END PGP SIGNATURE-----

--
Click for free info on getting an MBA, $200K/ year potential.
http://tagline.hushmail.com/fc/PnY6qxsZwT4rGVHbB4AisvjVw0XZavmA0GT3ROwrGeggWcBAI8H5O/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: