[NT] Specially Malformed Script in HTML Mail Can Execute in Exchange 5.5 OWA
From: support@securiteam.comDate: 12/10/01
- Previous message: support@securiteam.com: "[NEWS] Goner/Pentagone Mass-Mailer Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 10 Dec 2001 08:56:42 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Specially Malformed Script in HTML Mail Can Execute in Exchange 5.5 OWA
------------------------------------------------------------------------
SUMMARY
OWA is a service of Exchange 5.5 Server that allows users to access and
manipulate messages in their Exchange mailbox by using a web browser.
A flaw exists in the way OWA handles inline script in messages in
conjunction with Internet Explorer. If an HTML message that contains
specially formatted script is opened in OWA, the script executes when the
message is opened. Because OWA requires that scripting be enabled in the
zone where the OWA server is located, this script could take any action
against the user's Exchange mailbox that the user himself was capable of,
including sending, moving, or deleting messages. An attacker could
maliciously exploit this flaw by sending a specially crafted message to
the user. If the user opened the message in OWA, the script would then
execute.
While it is possible for a script to send a message as the user, it is
impossible for the script to send a message to addresses in the user's
address book. Thus, the flaw cannot be exploited for mass-mailing attacks.
In addition, mounting a successful attack requires knowledge of the
intended victim's choice of mail clients and reading habits. If the
maliciously crafted message were read in any mail client other than a
browser through OWA, the attack would fail.
DETAILS
Affected software:
* Microsoft Exchange 5.5 Server Outlook Web Access
Mitigating factors:
* A successful attack would require the victim to read the message in an
IE using OWA only. The attack would fail if read in any other mail client.
* A successful attack would also require knowledge of the version of OWA
in use. The attack would fail on other versions of OWA.
* A successful attack can only take action on the mailbox on the Exchange
Server as the user. It cannot take action on the user's local machine. It
cannot take actions on any other users' mailbox directly. Nor can it take
actions directly on the Exchange Server.
Patch availability:
Download locations for this patch
* Microsoft Exchange 5.5:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34402>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34402
What is the scope of the vulnerability?
This vulnerability could enable an attacker to run script of his choice
against a user's Exchange mailbox by embedding script in any mail message.
When activated, such a malicious message would be capable of taking any
action that the user himself could take on the mailbox, including adding,
changing, or deleting data in the mailbox.
What causes the vulnerability?
The vulnerability results because the content filtering feature in OWA can
fail to detect script in some instances. When a valid message is
intentionally designed to obfuscate the presence of script, it is still
possible for that script to execute.
What is Outlook Web Access (OWA)?
OWA is a feature in Exchange 5.5 and 2000 that allows users to access
their email via a web browser instead of a mail client. Essentially, OWA
makes an Exchange server also function as a web site that lets authorized
users read or sends mail, manage their calendar, or perform other mail
functions via the Internet.
What is the problem with how OWA handles message script when using IE?
When OWA processes a user request to retrieve a mail message, it is
possible to embed script in a particular way so that OWA does not filter
it correctly causing the script to execute.
Is it possible to construct an HTML mail message like this by accident?
No. It is not possible to create a document that bypasses script filtering
by accident. It would require very specific, detailed knowledge and such a
message would have to be specifically constructed with malicious intent.
Are all versions of OWA are vulnerable?
No. The vulnerability only affects OWA in Exchange 5.5.
Does this vulnerability affect Outlook or Outlook Express?
No. The vulnerability only affects Outlook Web Access. It does not affect
any of the Outlook or Outlook Express clients.
Does this vulnerability affect all browsers using OWA?
No, the issue only occurs when using IE with OWA. No other browsers are
affected.
What would this vulnerability enable an attacker to do?
The message would be able to take any action that the user could take on
his Exchange mailbox. This could include manipulating messages or folders
with complete control.
How might an attacker use this vulnerability?
To exploit this vulnerability, an attacker would have to construct a
specially crafted message and send it to the intended victim as a mail
message. The intended victim would have to use OWA to open the mail
message. It is important to note that if the user were to open the message
in the Outlook client, the attack would fail. Because the attack would
require a user to use a specific mail client, a significant degree of
social engineering would be required to successfully exploit this
vulnerability.
What does the patch do?
The patch eliminates the vulnerability by changing the way that OWA
handles inline script. After the patch is applied, OWA strips inline
script before sending the messages to IE.
What servers should I install the patch on?
This patch is intended only for servers that are running the Exchange 5.5
OWA service on IIS. You do not need to install this patch on servers that
are not running the Exchange 5.5 OWA service on IIS.
Can you clarify this? Do I install this on my Exchange servers?
Not exactly. You install this patch on your OWA server. The OWA server is
an IIS server with the OWA service installed. Depending on your
configuration, your OWA server may or may not also be running Exchange.
In some configurations, the OWA Server will also be running Exchange. In
this configuration, you would apply the patch to this server because it is
running OWA.
In other configurations, the OWA Server connects to a different server
running Exchange without OWA. In this configuration, you would apply the
patch to the OWA server but not apply it to the Exchange server without
OWA.
You do not apply this patch to Exchange servers without OWA, only to
servers running OWA.
What is the version requirement discussed in this bulletin? How is it
different from the regular OWA requirements?
The version requirement listed under the "Caveats" section is a
requirement over and above the base requirements for the Exchange 5.5 OWA
service.
To install this patch successfully on an OWA server, it must meet both the
base requirements and this additional requirement.
Installing this patch on a system that does not meet the version
requirement in this bulletin can lead to unexpected results.
My server doesn't meet this requirement, what should I do to install this
patch?
If you server does not meet the IE requirement for this patch, you should
first upgrade your server and then apply the patch.
What version should I upgrade to? Is it OK to just upgrade to IE 5.0?
If you upgrade to IE 5.0, you will be able to install the patch
successfully. However, as noted in recent IE bulletins, such as MS01-055,
versions older than IE 5.5 SP2 are no longer eligible for hotfix support,
as of the time of this writing.
Because of this, it is recommended that you upgrade to IE 5.5 SP2 or
greater, to ensure that you are eligible for hotfix support for IE.
I'm confused, do I have to upgrade IE on my OWA clients or my OWA server?
You have to upgrade the OWA server. The version requirement for this patch
is ONLY for the server, not for the clients.
What are the version recommendations discussed in this bulletin? How are
they different from the regular OWA requirements?
The Exchange 5.5 OWA Service has dependencies on both IE and IIS. While
these dependencies are met by meeting OWA's stated requirements, the
versions listed for those requirements are outside of security hotfix
support as discussed in MS01-055 for IE and MS01-044 for IIS.
Because of this, to ensure that all dependent components are eligible for
security hotfix support, we have included version recommendations. As of
the time of this writing, these recommendations are versions that are
eligible for security hotfix support.
It is recommended that customers meet these version recommendations, over
and above the base OWA recommendations, to fully secure their systems.
I installed the patch on a system that doesn't meet the patch's version
requirements, what can I do to fix this?
If you have installed the patch on an OWA server that doesn't meet the
version requirement, you can upgrade IE to version 5.0 or greater.
However, as noted in this bulletin, it is recommended that you upgrade to
a version that is eligible for security hotfix support. At the time of
this writing, this is IE 5.5 SP2 or greater.
I've followed the instruction above and I'm still having problems, what
should I do now?
If you are still having problems because of the patch, contact Microsoft
Product Support Services. All calls related to security patches are free
of charge. There's information on how to contact Product Support Services
at: <http://www.microsoft.com/support> http://www.microsoft.com/support
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Goner/Pentagone Mass-Mailer Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
