I found and reported this back in 2005/2006. Microsoft told me that it had been reported previously and that it would be fixed in the next release, which I'm guessing they meant 2007. I do not know if they have fixed it in Exchange 2007. On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti <piergiorgio@xxxxxxxxxxx> wrote: > Hi all, > also I've found this vulnerability 1 year ago during a pt and work fine > with url obfuscation. I've read that with owa 2007 this vulnerability is > patched but I don't have tried yet. > > Best regards, > Piergiorgio > > > Giuseppe Gottardi ha scritto: >> Davide, let me comfort you... >> >> I found this vulnerability 1 year ago during a penetration test >> activity and I never reported before for my negligence :-) >> >> https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0 >> >> Best regards, >> oveRet >> >> >> On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote: >> Hi, >> >>> I found and notified this vulnerability to Microsoft in date: >>> >>> Tue, 10 Apr 2007 15:40:13 +0200 >>> >>> You read exactly, April 2007, 1 year and 6 months ago. :( >>> >>> The Microsoft Security Response Center opened the case ID MSRC 7368br. >>> >>> The bug has never been patched since 1 year and 6 months. >>> I asked time to time for updates but they always answered me that the >>> bug had to be patched with the next Service Pack and they did not have >>> any ETA. >>> >>> This SP has still to be released. >>> >>> They told me that if I released the vulnerability prior to the official >>> patch, I could not be officially credited for that. I tought it was not >>> a critical vuln, and so I waited. Too much (?). >>> >>> I am a bit sorry for Microsoft, I think they lost an other chance since >>> now I feel a bit tricked. I am not sure if the next time I will wait so >>> much and I am not sure if I will suggest to anyone to wait for the >>> patch. I just hope Microsoft will credit me in the official patch. :( >>> >>> Below you can find the first mail I wrote to MS regarding the issue. >>> >>> Best regards, >>> >>> Davide Del Vecchio. >>> >>> >>> From: "Davide Del Vecchio" <dante@xxxxxxxxxxxxx> >>> To: secure@xxxxxxxxxxxxx >>> >>> Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness >>> Date: Tue, 10 Apr 2007 15:40:13 +0200 >>> >>> Hello, >>> >>> I found a weakness in Microsoft Outlook Web Access (OWA), which >>> potentially can be exploited by malicious people to conduct phishing >>> attacks. >>> The weakness is caused due to a design error in the way OWA uses an >>> unverified user supplied argument to redirect a user after successful >>> authentication. >>> This can e.g. be exploited by tricking a user into following a link from >>> a HTML document to the trusted login page with a malicious "url" parameter. >>> After successful authentication, the user will be redirected to the >>> untrusted (fake) site. >>> >>> The affected product is: >>> Microsoft Outlook Web Access ( OWA ) >>> Windows 2003 >>> >>> Examples: >>> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com >>> >>> this will take the user to http://www.example.com when the login box >>> is pressed. >>> >>> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe >>> prompts the user to download an executable or other file. >>> >>> The attacker can then have a page to capture the user / password >>> and redirect back to the original login page or some other form of >>> phishing attack. >>> >>> Note that this vulnerability is very similar to the one affecting >>> "owalogin.asp" described here: >>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 >>> >>> Best regards, >>> >>> Davide Del Vecchio. >>> >>> Martin Suess ha scritto: >>> >>> ... >>> >>> >>>> Timeline: >>>> --------- >>>> Vendor Status: MSRC tracking case closed >>>> Vendor Notified: March 31st 2008 >>>> Vendor Response: May 6th 2008 >>>> Advisory Release: October 15th 2008 >>>> Patch available: - (vulnerability not high priority) >>>> >>> >> >> >> > > > -- > +----------------------------------------------------------------------+ > | Ing. Piergiorgio Venuti, CCSP | > | 0x5ECFE022 - B44B C817 3793 C7C7 2734 F898 DE03 8961 5ECF E022| > +----------------------------------------------------------------------+ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
