[CSO10002] Attachment path traversal in Outlook Web Access

["Ricardo Martins - Chief Security Officers" <ricardo.martins () cso pt>]

This trick is mostly useful but can also be used for wrong purposes. Since it is so simple, it’s probably already known 
for some people.

If someone sends you a file through OWA but the file is blocked by a policy, this is what you can do:

1-Install firefox
2-Access your email and attachment with the following rule:

http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email subject>.EML/<attachment filename>

E.g.:
http://webmail.example.com/Exchange/myusername/Inbox/virus.EML/virus.zip

The best way is to try in following order:

1- http://<hostname>/<OWA directory>/<mail box username>/Inbox – you see all your emails
2- http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email subject>.EML – you see only your email with the 
blocked files
3- http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email subject>.EML/<attachment filename> – you download 
the file

The actual address could be different for a couple of reasons. Try to check the attachment URL and use it like shown 
above.

This can also be exploited through a malicious email with a link inside pointing to the malware directly.

Server environment: Exchange/ OWA 2003 6.5.76*
Client environment: firefox 3.0.15

Ricardo Martins
CISA, ISO 27001/20000 LA
Compliance & Consulting Manager
 
Tel: +351 210 111 616     Fax: +351 210 111 618     www.cso.pt     info () cso pt 
 
______________________________
 
Chief Security Officers, SA.
Edificio Infante D. Henrique
Rua João Chagas, 53 - 1º Esq.
1495-764 Dafundo
Portugal
 
empresa do grupo
Art of Knowledge
 
  Pense no Ambiente antes de imprimir / Consider the Environment before printing