I verified that OWA 2007 is not vulnerable to the redirection attacks described below. Angelo Castigliola III EISRM - Application Security Architecture Unum Telephone: 207-575-3820 Mobile: 207-590-3630 acastigliola@xxxxxxxx -----Original Message----- From: Piergiorgio Venuti [mailto:piergiorgio@xxxxxxxxxxx] Sent: Saturday, November 15, 2008 5:34 AM To: Giuseppe Gottardi Cc: dante@xxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx; secure@xxxxxxxxxxxxx; Martin Suess Subject: Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] Hi all, also I've found this vulnerability 1 year ago during a pt and work fine with url obfuscation. I've read that with owa 2007 this vulnerability is patched but I don't have tried yet. Best regards, Piergiorgio Giuseppe Gottardi ha scritto: > Davide, let me comfort you... > > I found this vulnerability 1 year ago during a penetration test > activity and I never reported before for my negligence :-) > > https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FU RL%3Dhttp%3A%2F%2Fwww.google.it&reason=0 > > Best regards, > oveRet > > > On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote: > Hi, > >> I found and notified this vulnerability to Microsoft in date: >> >> Tue, 10 Apr 2007 15:40:13 +0200 >> >> You read exactly, April 2007, 1 year and 6 months ago. :( >> >> The Microsoft Security Response Center opened the case ID MSRC 7368br. >> >> The bug has never been patched since 1 year and 6 months. >> I asked time to time for updates but they always answered me that the >> bug had to be patched with the next Service Pack and they did not have >> any ETA. >> >> This SP has still to be released. >> >> They told me that if I released the vulnerability prior to the official >> patch, I could not be officially credited for that. I tought it was not >> a critical vuln, and so I waited. Too much (?). >> >> I am a bit sorry for Microsoft, I think they lost an other chance since >> now I feel a bit tricked. I am not sure if the next time I will wait so >> much and I am not sure if I will suggest to anyone to wait for the >> patch. I just hope Microsoft will credit me in the official patch. :( >> >> Below you can find the first mail I wrote to MS regarding the issue. >> >> Best regards, >> >> Davide Del Vecchio. >> >> >> From: "Davide Del Vecchio" <dante@xxxxxxxxxxxxx> >> To: secure@xxxxxxxxxxxxx >> >> Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness >> Date: Tue, 10 Apr 2007 15:40:13 +0200 >> >> Hello, >> >> I found a weakness in Microsoft Outlook Web Access (OWA), which >> potentially can be exploited by malicious people to conduct phishing >> attacks. >> The weakness is caused due to a design error in the way OWA uses an >> unverified user supplied argument to redirect a user after successful >> authentication. >> This can e.g. be exploited by tricking a user into following a link from >> a HTML document to the trusted login page with a malicious "url" parameter. >> After successful authentication, the user will be redirected to the >> untrusted (fake) site. >> >> The affected product is: >> Microsoft Outlook Web Access ( OWA ) >> Windows 2003 >> >> Examples: >> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com >> >> this will take the user to http://www.example.com when the login box >> is pressed. >> >> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup .exe >> prompts the user to download an executable or other file. >> >> The attacker can then have a page to capture the user / password >> and redirect back to the original login page or some other form of >> phishing attack. >> >> Note that this vulnerability is very similar to the one affecting >> "owalogin.asp" described here: >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420 >> >> Best regards, >> >> Davide Del Vecchio. >> >> Martin Suess ha scritto: >> >> ... >> >> >>> Timeline: >>> --------- >>> Vendor Status: MSRC tracking case closed >>> Vendor Notified: March 31st 2008 >>> Vendor Response: May 6th 2008 >>> Advisory Release: October 15th 2008 >>> Patch available: - (vulnerability not high priority) >>> >> > > > -- +----------------------------------------------------------------------+ | Ing. Piergiorgio Venuti, CCSP | | 0x5ECFE022 - B44B C817 3793 C7C7 2734 F898 DE03 8961 5ECF E022| +----------------------------------------------------------------------+
