############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: Outlook Web Access for Exchange 2003 # Vendor: Microsoft (www.microsoft.com) # CVD ID: CVE-2008-1547 # Subject: URL Redirection Vulnerability # Risk: Medium # Effect: Remotely exploitable # Author: Martin Suess <martin.suess_at_csnc&#46;ch> # Date: October 15th 2008 # ############################################################# Introduction: ------------- The vulnerability found targets the Outlook Web Access application for Microsoft Exchange 2003. A valid user can be redirected to a malicious website when clicking on a specially crafted URL which can be sent to the user by email. If the user is logged in, he is redirected instantly - if he is not logged in yet, the login page will be displayed and he will be redirected after successful login. This vulnerability can be used to redirect the user to a phishing website which shows the (faked) login screen and getting the users logon credentials as soon as he tries to log in on the faked site. Affected: --------- - All tested versions that are vulnerable Microsoft Outlook Web Access for Exchange 2003 Server (Version: 6.5, Build: 7638.2 SP2) - All tested versions that are not vulnerable [no more tested] - Not affected according to vendor: Microsoft Outlook Web Access for Exchange 2007 Server, SP1 Technical Description: ---------------------- An attacker can craft a URL for the OWA of his victim which contains a redirection URL to which the user is sent after successful login. This URL can be sent to the victim by mail to either a private address or to the Exchange business account. Once he clicks on the URL he is redirected to a malicious website an attacker prepared containing a faked logon screen saying "your session has expired" or similar. If the user tries to log in again (on the faked logon page) his credentials are compromised. Outlook Web Access for Exchange 2003 The URL could look like this: https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch We request the page (authenticated user): GET https://webmail.domain.tld/exchweb/bin/redir.asp?URL=http://www.csnc.ch HTTP/1.1 Host: webmail.domain.tld User-Agent: Mozilla/5.0 (Windows) Gecko/20080201 Firefox/2.0.0.12 Accept: text/xml,application/xml,application/xhtml+xml Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: sessionid=[...]; cadata="[...]" And we get a redirection to the website defined: HTTP/1.1 200 OK Cache-Control: No-cache Content-Length: 277 Content-Type: text/html Expires: Fri, 28 Mar 2008 08:53:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Fri, 28 Mar 2008 08:54:10 GMT <!--Copyright (c) 2000-2003 Microsoft Corporation. All rights reserved.--> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"> <html> <head> <script> try { window.location = "http:\/\/www.csnc.ch"; } catch(e){} </script> </head> </html> If the user is not authorized he will be redirected automatically to the following URL: https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url= https://webmail.domain.tld/exchweb/bin/redir.asp%3FURL= http://www.csnc.ch&reason=0 As soon as he authenticates successfully he is redirected to the foreign website as well. Outlook Web Access for Exchange 2007 Nearly the same issue can be found in Outlook Web Access for Exchange 2007. The URL additionally contains an additional parameter C which is needed because otherwise the page warns that a foreign website is opened. If the parameter is there, we are not warned when we are redirected: https://webmail.domain.tld/owa/redir.aspx? C=efb6ad0a2be24a368596c275b5e4ae8d&URL=http%3a%2f%2fwww.csnc.ch%2f Still, if we leave it away, it's only a pop-up which is clicked away and the redirection is still done. If the user is not logged on when he clicks on the specially crafted URL, he is also redirected to the logon screen and redirected after successful login (including the warning pop-up): https://webmail.domain.tld/owa/auth/logon.aspx?url= https://webmail.domain.tld/owa/redir.aspx%3F C=asdf%26URL=http%253a%252f%252f www.csnc.ch%252f&reason=0 According to Microsoft, Outlook Web Access 2007 SP1 is not affected. as it will not allow a link to point to inside the OWA URL namespace. Workaround / Fix: ----------------- Patching the application would mean that no more redirections to foreign websites are allowed anymore at all. A more sophisticated way of redirection would be to add a unique random id to each redirection URL which is connected to the session id and the URL. The URL does NOT contain the foreign URL anymore - it is only stored in the session. If the unique id does not match the URL stored in the session database the redirection is denied. Upon all redirections to foreign websites the user is warned with a pop-up. This does not solve the problem completely however because URLs sent to the webmail directly can still lead to malicious websites. As long as there is no patch available we recommend using a web entry server in front of Outlook Web Access which filters malicious URLs. Redirection URLs must always start with the FQDN of the webmail application: https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url= https://webmail.domain.tld/[...] Microsoft also states correctly, that after the attack, the browser will no longer show the correct URL of the OWA in the address bar. The SSL certificate will also change or not be present anymore at all, depending on whether the attacker's page is encrypted or not. Timeline: --------- Vendor Status: MSRC tracking case closed Vendor Notified: March 31st 2008 Vendor Response: May 6th 2008 Advisory Release: October 15th 2008 Patch available: - (vulnerability not high priority) Acknowledgement: ---------------- - References: ----------- [1]: http://www.microsoft.com/exchange/ [2]: http://msexchangeteam.com/archive/2004/07/26/197289.aspx