lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 Dec 2019 16:44:11 +0300
From: Alphan YAVAS <alphan.yv@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: Microsoft Exchange Server, External Service Interaction (DNS)

I. VULNERABILITY
-------------------------
Microsoft Exchange Server, External Service Interaction (DNS)
Exchange Server 2013 CU22 and previous.

II. CVE REFERENCE
-------------------------
Not Assigned Yet

III. VENDOR
-------------------------
https://www.microsoft.com

IV. DESCRIPTION
-------------------------
Microsoft Exchange Server are affected from External Service
Interaction(DNS) vulnerability. A remote attacker could force the
vulnerable server to send request to any remote server s/he wants.

V. TIMELINE
-------------------------
04/11/2019 Vulnerability discovered
05/12/2019 Vendor contacted
17/12/2019 Microsoft replay that “We determined that this behavior is
considered to be by design.”

VI. CREDIT
-------------------------
Alphan Yavas from Biznet Bilisim A.S.

VII. Components
-------------------------
Affected Component:
Path(inurl): /Autodiscover
Parameter: Authorization

VIII. PROOF OF CONCEPT
-------------------------
Request example:

GET /Autodiscover HTTP/1.1
Host: owa.zzzzz.com.tr
Authorization: Basic abc

Affected parameter: Authorization

If Authorization is being sent with following format victim server
will send out DNS queries to xxx domain.  (xxx is the domain which you
want to send
request from server)

xxx\qqq:aaa

As you see above, we have a base64 payload for authorization header.
If we decode that payload we will see a structure like
"domain\username:password".
In that case, if we intercept the request and create a new base64
payload and set a different domain then default. (for example xxxx.com)
Now, we have a payload like"xxxx.com\qqq:aaa" and encode this payload
with base64. While we send our request with this payload, server will
send DNS request to xxxx
domain.

Powered by blists - more mailing lists