SAP NetWeaver XSS Vulnerability

[Martin Suess]

#
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#
#
# Product:   NetWeaver/Web DynPro
# Vendor:SAP (www.sap.com)
# CVD ID:CVE-2008-3358
# Subject:   Cross-Site Scripting Vulnerability
# Risk:  High
# Effect:Remotely exploitable
# Author:Martin Suess 
# Date:  January 27th 2009
#
#

Introduction:
-
The vulnerability found targets the SAP NetWeaver portal. It is
possible to execute JavaScript code in the browser of a valid user
when clicking on a specially crafted URL which can be sent to the
user by email.
This vulnerability can be used to steal the user's session cookie or
redirect him to a phishing website which shows the (faked) login
screen and gets his logon credentials as soon as he tries to log in
on the faked site.

Affected:
-
- All tested versions that are vulnerable
SAP NetWeaver/Web DynPro
[for detailed Information, see SAP Notification 1235253]

Description:

A specially crafted URL in SAP NetWeaver allows an attacker to
launch a Cross-Site Scripting attack. The resulting page contains
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:

HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server: 
content-type: text/plain
Content-Length: 67
Keep-Alive: timeout=10, max=500
Connection: Keep-Alive

test


The code only gets executed in Microsoft Internet Explorer (tested
with version 7.0.5730 only). In Firefox (tested with version 3.0
only) it did not get executed as the content-type header of the
server response is interpreted more strictly (text/plain).

SAP Information Policy:
---
The information is available to registered SAP clients only (SAP
Security Notes).

Patches:

Apply the latest SAP security patches for Netweaver. For more detailed
patch information, see SAP notification number 1235253.

Timeline:
-
Vendor Status:  Patch released
Vendor Notified:July 21st 2008
Vendor Response:July 28th 2008
Patch available:October 2008
Advisory Release:   January 27th 2009

References:
---
- SAP Notification 1235253 (problem and patches)

Re: Re: MS OWA 2003 Redirection Vulnerability

[martin . suess]

Actually I have no more chance to test that since I found that vulnerability 
during a check for a customer.

Thanks for the input however. I will check that the next time. An XSS 
vulnerability would indeed be nicer than a simple redirection...

regards,
Martin Suess

MS OWA 2003 Redirection Vulnerability

[Martin Suess]

#
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#
#
# Product:   Outlook Web Access for Exchange 2003
# Vendor:Microsoft (www.microsoft.com)
# CVD ID:CVE-2008-1547
# Subject:   URL Redirection Vulnerability
# Risk:  Medium
# Effect:Remotely exploitable
# Author:Martin Suess <[EMAIL PROTECTED]>
# Date:  October 15th 2008
#
#

Introduction:
-
The vulnerability found targets the Outlook Web Access application
for Microsoft Exchange 2003. A valid user can be redirected to a
malicious website when clicking on a specially crafted URL which can
be sent to the user by email. If the user is logged in,
he is redirected instantly - if he is not logged in yet, the login page
will be displayed and he will be redirected after successful login.
This vulnerability can be used to redirect the user to a phishing
website which shows the (faked) login screen and getting the users
logon credentials as soon as he tries to log in on the faked site.

Affected:
-
- All tested versions that are vulnerable
Microsoft Outlook Web Access for Exchange 2003 Server
(Version: 6.5, Build: 7638.2  SP2)
- All tested versions that are not vulnerable
[no more tested]
- Not affected according to vendor:
Microsoft Outlook Web Access for Exchange 2007 Server, SP1

Technical Description:
--
An attacker can craft a URL for the OWA of his victim which contains a
redirection URL to which the user is sent after successful login. This
URL can be sent to the victim by mail to either a private address or to
the Exchange business account. Once he clicks on the URL he is
redirected to a malicious website an attacker prepared containing a
faked logon screen saying "your session has expired" or similar. If the
user tries to log in again (on the faked logon page) his credentials
are compromised.

Outlook Web Access for Exchange 2003

The URL could look like this:
https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch

We request the page (authenticated user):
GET
https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
HTTP/1.1
Host: webmail.domain.tld
User-Agent: Mozilla/5.0 (Windows) Gecko/20080201 Firefox/2.0.0.12
Accept: text/xml,application/xml,application/xhtml+xml
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: sessionid=[...]; cadata="[...]"

And we get a redirection to the website defined:
HTTP/1.1 200 OK
Cache-Control: No-cache
Content-Length: 277
Content-Type: text/html
Expires: Fri, 28 Mar 2008 08:53:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 28 Mar 2008 08:54:10 GMT






try
{
window.location = "http:\/\/www.csnc.ch";
}
catch(e){}




If the user is not authorized he will be redirected automatically to
the following URL:
https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
https://webmail.domain.tld/exchweb/bin/redir.asp%3FURL=
http://www.csnc.ch&reason=0

As soon as he authenticates successfully he is redirected to the
foreign website as well.

Outlook Web Access for Exchange 2007

Nearly the same issue can be found in Outlook Web Access for Exchange
2007. The URL additionally contains an additional parameter C which is
needed because otherwise the page warns that a foreign website is
opened. If the parameter is there, we are not warned when we are
redirected:

https://webmail.domain.tld/owa/redir.aspx?
C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f

Still, if we leave it away, it's only a pop-up which is clicked
away and the redirection is still done.

If the user is not logged on when he clicks on the specially crafted
URL, he is also redirected to the logon screen and redirected after
successful login (including the warning pop-up):

https://webmail.domain.tld/owa/auth/logon.aspx?url=
https://webmail.domain.tld/owa/redir.aspx%3F
C=asdf%26URL=http%253a%252f%252f
www.csnc.ch%252f&reason=0

According to Microsoft, Outlook Web Access 2007 SP1 is not affected.
as it will not allow a link to point to inside the OWA URL namespace.

Workaround / Fix:
-
Patching the application would mean that no more redirections to
foreign websites are allowed anymore at all.
A more sophisticated way of redirection would be to add a unique
random id to each redirection URL which is connected to the session
id and the URL. The URL does NOT contain the foreign URL anymore - it
is only stored in the session. If the unique id does not match the URL
stored in the session database the redirection is denied. Upon all
redirections to foreign websites the user is warned with a pop-up.
This