From labs-no-reply@idefense.com Tue Jun 14 14:37:38 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Date: Tue, 14 Jun 2005 14:35:33 -0400 Subject: [Full-disclosure] iDEFENSE Security Advisory 06.14.05: Microsoft Outlook Web Access Cross-Site Scripting Vulnerability Microsoft Outlook Web Access Cross-Site Scripting Vulnerability iDEFENSE Security Advisory 06.14.05 www.idefense.com/application/poi/display?id=261&type=vulnerabilities June 14, 2005 I. BACKGROUND Microsoft Outlook Web Access is an optional component included in Microsoft Exchange that allows users to access their mailboxes using a web front end. More information is available at the following address: http://www.microsoft.com/exchange/owa/ II. DESCRIPTION Remote exploitation of a Cross-Site Scripting (XSS) vulnerability in the Outlook Web Access (OWA) component within version 5.5 of Microsoft Corp.'s Exchange Server allows an attacker to force to inject arbitrary script code into a users session, possibly stealing logon credentials. To demonstrate the vulnerability, simply embed the following encoded text into an HTML e-mail: This will have the affect of popping up an alert window when the targeted user views the mail using Outlook Web Access. This proof of concept could easily be altered to cause the script to return authentication credentials to an attacker controlled server. III. ANALYSIS Successful exploitation of this vulnerability would allow an attacker to inject arbitrary script code into the Web Access session. This could allow for the theft of authentication information, which could lead to a compromised mail account. In order for exploitation to occur, the targeted user would only have to view an e-mail from an attacker. As it is trivial to spoof the source of e-mail, this vulnerability has a high potential for widespread exploitation. IV. DETECTION Version 5.5 of Exchange Server has been confirmed vulnerable. Microsoft has reported that Version 2000 and 2003 of Exchange Server are not vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds that can be implemented on the server in order to mitigate the risk of this vulnerability; however, there are workarounds available for client protection. Since exploitation allows for the execution of malicious code in web browsers, successful exploitation could be thwarted by disabling script code and active content support within a client browser. Take note that employing this workaround could adversely affect web sites reliant upon the execution of browser-based script code. The following steps can be taken to disable active scripting in Mozilla and Internet Explorer: Internet Explorer 5.0, 5.01, 5.5, 6 a. On the Tools menu, click Internet Options, click the Security tab, click the Internet Web content zone, and then click Custom Level. b. In the Settings box, scroll down to the Scripting section, and click Disable under Active scripting and Scripting of Java applets. c. Click OK, and then click OK again. Mozilla Firefox a. On the Tools menu, click Options and click the Web Features tab. b. De-select the Enable JavaScript checkbox. c. Click OK. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS05-029.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0563 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/08/2005 Initial vendor notification 04/08/2005 Initial vendor response 06/14/2005 Coordinated public disclosure IX. CREDIT Gael Delalleau is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/