[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY19-DAV8FCD826B8F9FA1D30923BD9D60@phx.gbl>
Date: Thu Jul 21 21:41:52 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: OWA login redirection - Mitigation
I have recieved the following from MSRC ( Microsoft Security Response
Center )
regarding my Advisory (
http://exploitlabs.com/files/advisories/EXPL-A-2005-001-owa.txt )
Exploitlabs is releasing this information to the public to help users
protect their systems until the next version of Exchange Server is released.
-----------------------------------
The Microsoft Security Response Center would like to clarify the OWA URL
Redirection issue a little further, discussing both the severity and how
to protect against the threat if you feel that it is relevant to your
implementation.
Issue Severity - For credentials to be stolen a number of factors must
be in play for a successful attack. This includes enticing the user to
click on a URL that contains a malicious address appended to their
normal OWA URL, bypassing a security alert message displayed by the
browser and then enticing the user to re-enter their credentials at the
malicious site.
With those factors in mind combined with the technical workaround
detailed below, this issue has been triaged for remediation in the next
version of Exchange Server.
Workaround - If you feel that your OWA system is or will be affected the
following workaround can be employed:
The following workaround can be used by the Exchange administrator to
remove the capability of users to provide a redirect URL via the FBA
QueryString. The steps to do this are listed below:
1. Navigate to 'C:\Program Files\Exchsrvr\exchweb\bin\auth\usa' (*usa*
or which locale you are using)
2. Make a backup copy of logon.asp
3. Edit logon.asp
4. Go to line 54 of logon.asp
5. Hardcode the redirectPath variable to the path you are passing in to
the URL, in the case of Microsoft's OWA servers, line 54 of logon.asp
should look like:
redirectPath = "http://mail.yourcompany.com/exchange/"
6. Close and save logon.asp
7. Click the URL below and logon to verify the reported issue no longer
works (ie. users are not redirected to the malicioussite.net domain):
http://mail.yourcompany.com/exchweb/bin/auth/owalogon.asp?url=http://mal
icioussite.net/phisher.asp
Hard-coding the destination/redirect URL prevents users from being able
to navigate directly to mapped virtual directories on the OWA server,
but if this functionality is required, step 5 could be modified to only
allow a virtual directory to be passed (ie. hard-code the protocol and
host name before allowing the 'url' parameter to be concatenated).
As always this workaround should be thoroughly tested on a
non-production system before being promoted to a live production system.
User education plays a major role in not only this specific phishing
attack but phishing in general. By educating end users about not
clicking on web links from questionable sources, combined with the
technical workaround will reduce risk of this OWA issue to a level that
is manageable for most organizations.
-----------------------------------
Donnie Werner
wood at exploitlabs.com
http://exploitlabs.com
Powered by blists - more mailing lists