lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 15 Nov 2008 11:33:38 +0100
From: Piergiorgio Venuti <piergiorgio@...asec.org>
To: Giuseppe Gottardi <overet@...uritydate.it>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: MS OWA 2003 Redirection Vulnerability - [MSRC
	7368br]

Hi all,
also I've found this vulnerability 1 year ago during a pt and work fine 
with url obfuscation. I've read that with owa 2007 this vulnerability is 
patched but I don't have tried yet.

Best regards,
Piergiorgio


Giuseppe Gottardi ha scritto:
> Davide, let me comfort you...
>
> I found this vulnerability 1 year ago during a penetration test
> activity and I never reported before for my negligence :-)
>
> https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.asp%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0
>
> Best regards,
> oveRet
>
>
> On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote:
> Hi,
>   
>> I found and notified this vulnerability to Microsoft in date:
>>
>> Tue, 10 Apr 2007 15:40:13 +0200
>>
>> You read exactly, April 2007, 1 year and 6 months ago. :(
>>
>> The Microsoft Security Response Center opened the case ID MSRC 7368br.
>>
>> The bug has never been patched since 1 year and 6 months.
>> I asked time to time for updates but they always answered me that the
>> bug had to be patched with the next Service Pack and they did not have
>> any ETA.
>>
>> This SP has still to be released.
>>
>> They told me that if I released the vulnerability prior to the official
>> patch, I could not be officially credited for that. I tought it was not
>> a critical vuln, and so I waited. Too much (?).
>>
>> I am a bit sorry for Microsoft, I think they lost an other chance since
>> now I feel a bit tricked. I am not sure if the next time I will wait so
>> much and I am not sure if I will suggest to anyone to wait for the
>> patch. I just hope Microsoft will credit me in the official patch. :(
>>
>> Below you can find the first mail I wrote to MS regarding the issue.
>>
>> Best regards,
>>
>> Davide Del Vecchio.
>>
>>
>> From: "Davide Del Vecchio" <dante@...ghieri.org>
>> To: secure@...rosoft.com
>>
>> Subject: Microsoft Outlook Web Access "redir.asp" Redirection Weakness
>> Date: Tue, 10 Apr 2007 15:40:13 +0200
>>
>> Hello,
>>
>> I found a weakness in Microsoft Outlook Web Access (OWA), which
>> potentially can be exploited by malicious people to conduct phishing
>> attacks.
>> The weakness is caused due to a design error in the way OWA uses an
>> unverified user supplied argument to redirect a user after successful
>> authentication.
>> This can e.g. be exploited by tricking a user into following a link from
>> a HTML document to the trusted login page with a malicious "url" parameter.
>> After successful authentication, the user will be redirected to the
>> untrusted (fake) site.
>>
>> The affected product is:
>> Microsoft Outlook Web Access ( OWA )
>> Windows 2003
>>
>> Examples:
>> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com
>>
>> this will take the user to http://www.example.com when the login box
>> is pressed.
>>
>> https://[owa-url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
>> prompts the user to download an executable or other file.
>>
>> The attacker can then have a page to capture the user / password
>> and redirect back to the original login page or some other form of
>> phishing attack.
>>
>> Note that this vulnerability is very similar to the one affecting
>> "owalogin.asp" described here:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420
>>
>> Best regards,
>>
>> Davide Del Vecchio.
>>
>> Martin Suess ha scritto:
>>
>> ...
>>
>>     
>>> Timeline:
>>> ---------
>>> Vendor Status:      MSRC tracking case closed
>>> Vendor Notified:    March 31st 2008
>>> Vendor Response:    May 6th 2008
>>> Advisory Release:   October 15th 2008
>>> Patch available:    - (vulnerability not high priority)
>>>       
>>     
>
>
>   


-- 
+----------------------------------------------------------------------+
| Ing. Piergiorgio Venuti, CCSP                                        |
| 0x5ECFE022     -    B44B C817 3793 C7C7 2734 F898 DE03 8961 5ECF E022| 
+----------------------------------------------------------------------+

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ