#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Outlook Web Access for Exchange 2003
# Vendor: Microsoft (www.microsoft.com)
# CVD ID: CVE-2008-1547
# Subject: URL Redirection Vulnerability
# Risk: Medium
# Effect: Remotely exploitable
# Author: Martin Suess
# Date: October 15th 2008
#
#############################################################
Introduction:
-------------
The vulnerability found targets the Outlook Web Access application
for Microsoft Exchange 2003. A valid user can be redirected to a
malicious website when clicking on a specially crafted URL which can
be sent to the user by email. If the user is logged in,
he is redirected instantly - if he is not logged in yet, the login page
will be displayed and he will be redirected after successful login.
This vulnerability can be used to redirect the user to a phishing
website which shows the (faked) login screen and getting the users
logon credentials as soon as he tries to log in on the faked site.
Affected:
---------
- All tested versions that are vulnerable
Microsoft Outlook Web Access for Exchange 2003 Server
(Version: 6.5, Build: 7638.2 SP2)
- All tested versions that are not vulnerable
[no more tested]
- Not affected according to vendor:
Microsoft Outlook Web Access for Exchange 2007 Server, SP1
Technical Description:
----------------------
An attacker can craft a URL for the OWA of his victim which contains a
redirection URL to which the user is sent after successful login. This
URL can be sent to the victim by mail to either a private address or to
the Exchange business account. Once he clicks on the URL he is
redirected to a malicious website an attacker prepared containing a
faked logon screen saying "your session has expired" or similar. If the
user tries to log in again (on the faked logon page) his credentials
are compromised.
Outlook Web Access for Exchange 2003
The URL could look like this:
https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
We request the page (authenticated user):
GET
https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch
HTTP/1.1
Host: webmail.domain.tld
User-Agent: Mozilla/5.0 (Windows) Gecko/20080201 Firefox/2.0.0.12
Accept: text/xml,application/xml,application/xhtml+xml
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: sessionid=[...]; cadata="[...]"
And we get a redirection to the website defined:
HTTP/1.1 200 OK
Cache-Control: No-cache
Content-Length: 277
Content-Type: text/html
Expires: Fri, 28 Mar 2008 08:53:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Fri, 28 Mar 2008 08:54:10 GMT
If the user is not authorized he will be redirected automatically to
the following URL:
https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?urlhttps://webmail.domain.tld/exchweb/bin/redir.asp%3FURLhttp://www.csnc.ch&reason=0
As soon as he authenticates successfully he is redirected to the
foreign website as well.
Outlook Web Access for Exchange 2007
Nearly the same issue can be found in Outlook Web Access for Exchange
2007. The URL additionally contains an additional parameter C which is
needed because otherwise the page warns that a foreign website is
opened. If the parameter is there, we are not warned when we are
redirected:
https://webmail.domain.tld/owa/redir.aspx?
C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f
Still, if we leave it away, it's only a pop-up which is clicked
away and the redirection is still done.
If the user is not logged on when he clicks on the specially crafted
URL, he is also redirected to the logon screen and redirected after
successful login (including the warning pop-up):
https://webmail.domain.tld/owa/auth/logon.aspx?urlhttps://webmail.domain.tld/owa/redir.aspx%3F
C=asdf%26URL=http%253a%252f%252f
www.csnc.ch%252f&reason=0
According to Microsoft, Outlook Web Access 2007 SP1 is not affected.
as it will not allow a link to point to inside the OWA URL namespace.
Workaround / Fix:
-----------------
Patching the application would mean that no more redirections to
foreign websites are allowed anymore at all.
A more sophisticated way of redirection would be to add a unique
random id to each redirection URL which is connected to the session
id and the URL. The URL does NOT contain the foreign URL anymore - it
is only stored in the session. If the unique id does not match the URL
stored in the session database the redirection is denied. Upon all
redirections to foreign websites the user is warned with a pop-up.
This does not solve the problem completely however because URLs sent
to the webmail directly can still lead to malicious websites.
As long as there is no patch available we recommend using a web entry
server in front of Outlook Web Access which filters malicious URLs.
Redirection URLs must always start with the FQDN of the webmail
application:
https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?urlhttps://webmail.domain.tld/[...]
Microsoft also states correctly, that after the attack, the browser
will no longer show the correct URL of the OWA in the address bar.
The SSL certificate will also change or not be present anymore at
all, depending on whether the attacker's page is encrypted or not.
Timeline:
---------
Vendor Status: MSRC tracking case closed
Vendor Notified: March 31st 2008
Vendor Response: May 6th 2008
Advisory Release: October 15th 2008
Patch available: - (vulnerability not high priority)
Acknowledgement:
----------------
-
References:
-----------
[1]: http://www.microsoft.com/exchange/
[2]: http://msexchangeteam.com/archive/2004/07/26/197289.aspx