lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20081116012645.48BF92003F@smtp.hushmail.com>
Date: Sat, 15 Nov 2008 20:26:45 -0500
From: "Elazar Broad" <elazar@...hmail.com>
To: piergiorgio@...asec.org, techie.micheal@...il.com
Cc: overet@...uritydate.it, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Re: MS OWA 2003 Redirection Vulnerability - [MSRC
	7368br]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A quick test of OWA 2007 shows that it is not vulnerable...

On Sat, 15 Nov 2008 11:36:26 -0500 Micheal Cottingham
<techie.micheal@...il.com> wrote:
>I found and reported this back in 2005/2006. Microsoft told me
>that it
>had been reported previously and that it would be fixed in the
>next
>release, which I'm guessing they meant 2007. I do not know if they
>have fixed it in Exchange 2007.
>
>On Sat, Nov 15, 2008 at 5:33 AM, Piergiorgio Venuti
><piergiorgio@...asec.org> wrote:
>> Hi all,
>> also I've found this vulnerability 1 year ago during a pt and
>work fine
>> with url obfuscation. I've read that with owa 2007 this
>vulnerability is
>> patched but I don't have tried yet.
>>
>> Best regards,
>> Piergiorgio
>>
>>
>> Giuseppe Gottardi ha scritto:
>>> Davide, let me comfort you...
>>>
>>> I found this vulnerability 1 year ago during a penetration test
>>> activity and I never reported before for my negligence :-)
>>>
>>>
>https://owa/CookieAuth.dll?GetLogon?url=%2Fexchweb%2Fbin%2Fredir.as
>p%3FURL%3Dhttp%3A%2F%2Fwww.google.it&reason=0
>>>
>>> Best regards,
>>> oveRet
>>>
>>>
>>> On ven, 2008-10-17 at 21:07 +0200, Davide Del Vecchio wrote:
>>> Hi,
>>>
>>>> I found and notified this vulnerability to Microsoft in date:
>>>>
>>>> Tue, 10 Apr 2007 15:40:13 +0200
>>>>
>>>> You read exactly, April 2007, 1 year and 6 months ago. :(
>>>>
>>>> The Microsoft Security Response Center opened the case ID MSRC
>7368br.
>>>>
>>>> The bug has never been patched since 1 year and 6 months.
>>>> I asked time to time for updates but they always answered me
>that the
>>>> bug had to be patched with the next Service Pack and they did
>not have
>>>> any ETA.
>>>>
>>>> This SP has still to be released.
>>>>
>>>> They told me that if I released the vulnerability prior to the
>official
>>>> patch, I could not be officially credited for that. I tought
>it was not
>>>> a critical vuln, and so I waited. Too much (?).
>>>>
>>>> I am a bit sorry for Microsoft, I think they lost an other
>chance since
>>>> now I feel a bit tricked. I am not sure if the next time I
>will wait so
>>>> much and I am not sure if I will suggest to anyone to wait for
>the
>>>> patch. I just hope Microsoft will credit me in the official
>patch. :(
>>>>
>>>> Below you can find the first mail I wrote to MS regarding the
>issue.
>>>>
>>>> Best regards,
>>>>
>>>> Davide Del Vecchio.
>>>>
>>>>
>>>> From: "Davide Del Vecchio" <dante@...ghieri.org>
>>>> To: secure@...rosoft.com
>>>>
>>>> Subject: Microsoft Outlook Web Access "redir.asp" Redirection
>Weakness
>>>> Date: Tue, 10 Apr 2007 15:40:13 +0200
>>>>
>>>> Hello,
>>>>
>>>> I found a weakness in Microsoft Outlook Web Access (OWA),
>which
>>>> potentially can be exploited by malicious people to conduct
>phishing
>>>> attacks.
>>>> The weakness is caused due to a design error in the way OWA
>uses an
>>>> unverified user supplied argument to redirect a user after
>successful
>>>> authentication.
>>>> This can e.g. be exploited by tricking a user into following a
>link from
>>>> a HTML document to the trusted login page with a malicious
>"url" parameter.
>>>> After successful authentication, the user will be redirected
>to the
>>>> untrusted (fake) site.
>>>>
>>>> The affected product is:
>>>> Microsoft Outlook Web Access ( OWA )
>>>> Windows 2003
>>>>
>>>> Examples:
>>>> https://[owa-
>url]/exchweb/bin/redir.asp?URL=http://www.example.com
>>>>
>>>> this will take the user to http://www.example.com when the
>login box
>>>> is pressed.
>>>>
>>>> https://[owa-
>url]/exchweb/bin/redir.asp?URL=http://www.example.com/setup.exe
>>>> prompts the user to download an executable or other file.
>>>>
>>>> The attacker can then have a page to capture the user /
>password
>>>> and redirect back to the original login page or some other
>form of
>>>> phishing attack.
>>>>
>>>> Note that this vulnerability is very similar to the one
>affecting
>>>> "owalogin.asp" described here:
>>>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0420
>>>>
>>>> Best regards,
>>>>
>>>> Davide Del Vecchio.
>>>>
>>>> Martin Suess ha scritto:
>>>>
>>>> ...
>>>>
>>>>
>>>>> Timeline:
>>>>> ---------
>>>>> Vendor Status:      MSRC tracking case closed
>>>>> Vendor Notified:    March 31st 2008
>>>>> Vendor Response:    May 6th 2008
>>>>> Advisory Release:   October 15th 2008
>>>>> Patch available:    - (vulnerability not high priority)
>>>>>
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> +----------------------------------------------------------------
>------+
>> | Ing. Piergiorgio Venuti, CCSP
>      |
>> | 0x5ECFE022     -    B44B C817 3793 C7C7 2734 F898 DE03 8961
>5ECF E022|
>> +----------------------------------------------------------------
>------+
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkkfdtUACgkQi04xwClgpZj1/gP/VtLOffJOWpY5N8Kn7dmxWmQvUwcE
bMr95/K38W+ied5X7apy2Ia+jtpgX8d5A0BcO4qga22bcRB90VDTaG0+/cTsylhq1E0M
kfRLs5kJz5As+gAXv28G2sQ8plIDsGkA2eo9dERiuYpH6fvdVnEC3z0B1DnHTcN8mM+G
CE+62tc=
=7suT
-----END PGP SIGNATURE-----

--
Click for free info on getting an MBA, $200K/ year potential.
http://tagline.hushmail.com/fc/PnY6qxsZwT4rGVHbB4AisvjVw0XZavmA0GT3ROwrGeggWcBAI8H5O/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ