Ok this is what I came accross and wanted to share with everyone and ask a question.
OVERVIEW ======== A vulnerability in Microsoft Outlook Web Access allows malicious attackers to redirect the login to any URL they wish. This allows the attacker to force the user to the site of the attackers choosing enabling the attacker to use social engenering and phishing style of attacks.
AFFECTED PRODUCTS ================= Microsoft Outlook Web Access ( OWA ) Windows 2003
DETAILS ======= By using specialy crafted URL an attacker can cause the user to be redirected to an arbitrary URL.
ATTACK PROFILE ============== An attacker could gather known user email address for a company that uses OWA. By appending an obfuscated redirected url with a encoded url such as
this will take the user to http://example.com when the login box is pressed.
The attacker can then have a page to capture the user / password and redirect back to the original login page or some other form of phishing attack.
SOLUTION ======== Microsoft was contacted on Jan 20, 2005 NO patch has been produced to correct the vulnerability. They have issued the following: on Jan 21, 2005 ( see VENDOR RESPONSE )
notes: example 1 redirects the user to a url of the attackers choosing. example 2 prompts the user to download an executable or other file. this could be used in conjunction with the aforementioned attack scenario.
CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs.com
researcher inital: ------------------ Dear Microsoft, The following discusses a potential security vulnerability affecting one of your products. We are bringing it to your attention in order to assist you in investigating it and determining the appropriate actions, and have provided preliminary information about the potential vulnerability below. Please read our disclosure policy, available at http://www.exploitlabs.com/disclosure-policy.html if you have any questions. Please confirm using the contact information I have provided below that you have received this note.
We look forward to working with you,
Exploitlabs Research Team
Donnie Werner se_cur_ity@hotmail.com
vendor response 1 ----------------- Hello Donnie,
Thanks very much for contacting us. We have investigated reports of this behavior in the past and plan to fix it in the next major release of Exchange. Please let me know if you have further questions.
Thanks, Christopher, CISSP
researcher initial 2 -------------------- Christopher, when is the "next major release of Exchange" due? I think it may be in the interest of admins to know this flaw exists, and to possibly alert thier users of potential phishing attacks and to help secure their systems. Exchange 2003 OWA is used extensivly in corporate environments, where this flaw will have the most impact being this is a moderate remote threat, this researcher feels that PUBLIC FULL DISCLOSURE is needed. possibly MS would be willing to issue a statement to the public regarding this issue at this time.
regards,
Donnie Werner ( no fancy letters )
vendor response 2 ----------------- (none)
Now the question is does anyone think that using ISA 2004 as the OWA will stop this from occuing?
Not sure what you are referring to. In our setup we only use the ISA to create a SSL bridge between the client and the ISA box and the another SSL bridge between the ISA and the back end. Would that have any affect on us what so ever?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> OWA EXPLOIT 
OWA EXPLOIT - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread