Re: [Full-disclosure] MS OWA 2003 Redirection Vulnerability - [MSRC 7368br]

["Micheal Cottingham" <techie.micheal () gmail com>]

I found and reported this back in 2005/2006. Microsoft told me that it
had been reported previously and that it would be fixed in the next
release, which I'm guessing they meant 2007. I do not know if they
have fixed it in Exchange 2007.

On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
<piergiorgio () gigasec org> wrote:
> Hi all,
> also I've found this vulnerability 1 year ago during a pt and work fine
> with url obfuscation. I've read that with owa 2007 this vulnerability is
> patched but I don't have tried yet.
>
> Best regards,
> Piergiorgio
>
>
> Giuseppe Gottardi ha scritto:
> > Davide, let me comfort you...
> >
> > I found this vulnerability 1 year ago during a penetration test
> > activity and I never reported before for my negligence :-)
> >
> > https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0
> >
> > Best regards,
> > oveRet
> >
> >
> > On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote:
> > Hi,
> >
> > > I found and notified this vulnerability to Microsoft in date:
> > >
> > > Tue, 10 Apr 2007 15:40:13 +0200
> > >
> > > You read exactly, April 2007, 1 year and 6 months ago. :(
> > >
> > > The Microsoft Security Response Center opened the case ID MSRC 7368br.
> > >
> > > The bug has never been patched since 1 year and 6 months.
> > > I asked time to time for updates but they always answered me that the
> > > bug had to be patched with the next Service Pack and they did not have
> > > any ETA.
> > >
> > > This SP has still to be released.
> > >
> > > They told me that if I released the vulnerability prior to the official
> > > patch, I could not be officially credited for that. I tought it was not
> > > a critical vuln, and so I waited. Too much (?).
> > >
> > > I am a bit sorry for Microsoft, I think they lost an other chance since
> > > now I feel a bit tricked. I am not sure if the next time I will wait so
> > > much and I am not sure if I will suggest to anyone to wait for the
> > > patch. I just hope Microsoft will credit me in the official patch. :(
> > >
> > > Below you can find the first mail I wrote to MS regarding the issue.
> > >
> > > Best regards,
> > >
> > > Davide Del Vecchio.
> > >
> > >
> > > From: "Davide Del Vecchio" <dante () alighieri org>
> > > To: secure () microsoft com
> > >
> > > Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness
> > > Date: Tue, 10 Apr 2007 15:40:13 +0200
> > >
> > > Hello,
> > >
> > > I found a weakness in Microsoft Outlook Web Access (OWA), which
> > > potentially can be exploited by malicious people to conduct phishing
> > > attacks.
> > > The weakness is caused due to a design error in the way OWA uses an
> > > unverified user supplied argument to redirect a user after successful
> > > authentication.
> > > This can e.g. be exploited by tricking a user into following a link from
> > > a HTML document to the trusted login page with a malicious "url" parameter.
> > > After successful authentication, the user will be redirected to the
> > > untrusted (fake) site.
> > >
> > > The affected product is:
> > > Microsoft Outlook Web Access ( OWA )
> > > Windows 2003
> > >
> > > Examples:
> > > https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com
> > >
> > > this will take the user to http://www.example.com when the login box
> > > is pressed.
> > >
> > > https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
> > > prompts the user to download an executable or other file.
> > >
> > > The attacker can then have a page to capture the user / password
> > > and redirect back to the original login page or some other form of
> > > phishing attack.
> > >
> > > Note that this vulnerability is very similar to the one affecting
> > > "owalogin.asp" described here:
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420
> > >
> > > Best regards,
> > >
> > > Davide Del Vecchio.
> > >
> > > Martin Suess ha scritto:
> > >
> > > ...
> > >
> > >
> > > > Timeline:
> > > > ---------
> > > > Vendor Status:      MSRC tracking case closed
> > > > Vendor Notified:    March 31st 2008
> > > > Vendor Response:    May 6th 2008
> > > > Advisory Release:   October 15th 2008
> > > > Patch available:    - (vulnerability not high priority)
>
>
> --
> +----------------------------------------------------------------------+
> | Ing. Piergiorgio Venuti, CCSP                                        |
> | 0x5ECFE022     -    B44B C817 3793 C7C7 2734 F898 DE03 8961 5ECF E022|
> +----------------------------------------------------------------------+
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/