-2 vulnerabilities in OWA. -Vendor contacted
Microsoft Outlook Web Access comes with a feature that allows script filtering on HTML formatted mail attachments.It is possible for an attacker to make a request in a particular way so that OWA does not filter the attachment causing the script to execute. Be aware that this is not the same issue of bid 3650 nor bid 2832... In those attack scenarios the trick seemed to be a special obfuscated script code that would bypass the filtering protection of the OWA. Our attack is based on the fact that it is possible to force the OWA to not apply it's filtering engine. Microsoft OWA allows the user to view an HTML formatted attachment. The URL to access the attachment in this way has a parameter (Security) that, if not present in the query, will completely disable any kind of script filtering. An attacker can trick an OWA user to make such kind of request with a malicious link in the body of the message (links are allowed). The attacker needs to know the IP or the host name of the Exchange server in order to succefully construct the link, but all the info the attacker needs can easily be obatined in te "Referer" header of an HTTP request from a link in the message body of the vitim. So the attack procedure will be: 1) a link in message body making a request to the attacker's box will provide him the info (in the referer) of the name/ip, etc of the Exchange. 2) a link in the body of a new message will do the job of calling for an attachment without the script filtering feature. Note: this attack is similar to our "XSS Antivirus Bypass" of Hotmail: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/Hotmail/index.htm Bad news are not the XSS, although it provides mail access, session hijacking,etc... Bad news are that the Cross Site Scripting present in the OWA allows the attacker to automatically obtain the domain name, username and password in of the victim. The session tracking in the OWA uses cookies and "Basic Auth", we do not know if there's also any kind of IP tracking. The Basic Auth string is the name of the domain, the username and password base64 encoded...so it is trivial to decode it.How a to retrieve this info? The OWA is over an Internet Information Server, wich, by default, allows "TRACE" method in HTTP requests :-) A javascript using ActiveX or extended XML can do a TRACE http request, and send the response (wich has the "Basic Auth" header content) to the attacker. So it's important to notice that we are talking of 2 vulnerabilities: 1) Javascript filtering bypass 2) User domain credentials retrieval User domain credentials can not be encoded in this way (base64)!!! This practice is very dangerous, and any future Cross Site Scripting in the OWA could be used to access those credentials. Soon we will provide a proof of concept exploit to show how this two vulnerabilities can be exploited toghether easily. Hugo Vázquez Caramés & Toni Cortés Martínez Infohacking Team http://www.infohacking.com
