[NT] Vulnerability in Exchange Server 5.5 Outlook Web Access Allows CSS and Spoofing Attacks (MS04-026)

From: SecuriTeam (support_at_securiteam.com)
Date: 08/11/04

  • Next message: SecuriTeam: "[NT] Sygate Enforcer Discovery Packet DoS" 
    To: list@securiteam.com
Date: 11 Aug 2004 15:15:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Exchange Server 5.5 Outlook Web Access Allows CSS and
    Spoofing Attacks (MS04-026)
    ------------------------------------------------------------------------

    SUMMARY

    This update resolves a newly discovered, privately reported vulnerability.
    A cross-site scripting and spoofing vulnerability exists in Outlook Web
    Access for Exchange Server 5.5 that could allow an attacker to convince a
    user to run a malicious script.

    An attacker who successfully exploited the vulnerability could manipulate
    Web browser caches and intermediate proxy server caches, and put spoofed
    content in those caches. They may also be able to exploit the
    vulnerability to perform cross-site scripting attacks.

    DETAILS

    Affected Software:
     * Microsoft Exchange Server 5.5 SP4

    Non-Affected Software:
     * Microsoft Exchange 2000 Server
     * Microsoft Exchange Server 2003

    Affected Components:
     * Outlook Web Access -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C-4EEC-84F1-31F0CA878092&displaylang=en> Download the update

    This is a cross-site scripting and spoofing vulnerability. The cross-site
    scripting vulnerability could allow an attacker to convince a user to run
    a malicious script. If this malicious script is run, it would execute in
    the security context of the user. Attempts to exploit this vulnerability
    require user interaction. This vulnerability could allow an attacker
    access to any data on the Outlook Web Access server that was accessible to
    the individual user.

    It may also be possible to exploit the vulnerability to manipulate Web
    browser caches and intermediate proxy server caches, and put spoofed
    content in those caches.

    Workaround:
    Microsoft has tested the following workarounds. While these workarounds
    will not correct the underlying vulnerability, they help block known
    attack vectors. When a workaround reduces functionality, it is identified
    below.

     * Disable Outlook Web Access for Each Exchange Site

    You can disable Outlook Web Access by following these steps. You must
    follow these steps on each Exchange site.
    1. Start Exchange Administrator.
    2. Expand the Configuration container for the site.
    3. Click the Protocols container for the site.
    4. Open the properties of the HTTP (Web) Site Settings object.
    5. Click to clear the Enable Protocol check box.
    6. Wait for the change to replicate, and then verify that this change has
    replicated to each server in the site. To do this, bind to each server in
    the site with Exchange Administrator, and then view the setting.

    Impact of Workaround:
    Users cannot access to their mailboxes using Outlook Web Access.

     * Remove Outlook Web Access

    For steps on how to remove Outlook Web Access, see Microsoft Knowledge
    Base Article <http://support.microsoft.com/default.aspx?kbid=290287>
    290287.

    Impact of Workaround:
    Users cannot access to their mailboxes using Outlook Web Access

    For additional information about how to help secure your Exchange
    environment, visit the <http://go.microsoft.com/fwlink/?LinkId=33382>
    Security Resources for Exchange 5.5 Web site.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0203>
    CAN-2004-0203

    What updates does this release replace?
    This update replaces the security update that is provided in Microsoft
    Security Bulletin MS03-047.

    Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if
    this update is required?
    Yes. MBSA will determine if this update is required. For more information
    about MBSA, visit the MBSA Web site.

    Note After April 20, 2004, the Mssecure.xml file that is used by MBSA
    1.1.1 and earlier versions is no longer being updated with new security
    bulletin data. Therefore, scans that are performed after that date with
    MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA
    1.2 because it provides more accurate security update detection and
    supports additional products. Users can download MBSA 1.2 from the MBSA
    Web site. For more information about MBSA support, visit the following
    Microsoft Baseline Security Analyzer 1.2 Q&A Web site.

    Can I use Systems Management Server (SMS) to determine if this update is
    required?
    Yes. SMS can help detect and deploy this security update. For information
    about SMS, visit the SMS Web site.

    What is the scope of the vulnerability?
    This is a cross-site scripting and spoofing vulnerability. The cross-site
    scripting vulnerability could allow an attacker to convince a user to run
    a malicious script. If this malicious script is run, it would execute in
    the security context of the user. Attempts to exploit this vulnerability
    require user interaction. This vulnerability could allow an attacker
    access to any data on the Outlook Web Access server that was accessible to
    the individual user.

    It may also be possible to exploit the vulnerability to manipulate Web
    browser caches and intermediate proxy server caches, and put spoofed
    content in those caches.

    What causes the vulnerability?
    Outlook Web Access does not properly validate input that is provided to a
    HTML redirection query before it sends this input to the browser.

    What is Outlook Web Access?
    Microsoft Outlook Web Access is a service of Microsoft Exchange Server. By
    using Outlook Web Access, users can access their Exchange mailbox through
    a Web browser. By using Outlook Web Access, a server that is running
    Exchange Server can also function as a Web site that lets authorized users
    read or send mail, manage their calendar, or perform other mail functions
    over the Internet.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited the vulnerability could perform
    cross-site scripting attacks, display spoofed responses to users, or
    redirect server responses to another user.

    How could an attacker exploit the vulnerability?
    An attacker could create an e-mail message that is specially crafted to
    attempt to exploit this vulnerability. An attacker could exploit the
    vulnerability by sending this specially crafted e-mail message to a user
    of a server that is running Outlook Web Access for Exchange Server 5.5. An
    attacker could then persuade the user to click a link in the e-mail
    message.

    It may also be possible to exploit the vulnerability to manipulate Web
    browser caches and intermediate proxy server caches and put spoofed
    content in those caches.

    What systems are primarily at risk from the vulnerability?
    Systems running Outlook Web Access for Exchange Server 5.5 are primarily
    at risk from this vulnerability.

    Are all supported versions of Outlook Web Access vulnerable?
    No. The vulnerability affects only Outlook Web Access for Exchange Server
    5.5. Outlook Web Access for Exchange 2000 Server and Outlook Web Access
    for Exchange Server 2003 are not vulnerable.

    On which Exchange servers should I install the update?
    This update is intended only for servers that are running Outlook Web
    Access for Exchange Server 5.5. You do not have to install this update on
    servers that are not running Outlook Web Access for Exchange Server 5.5.

    I have customized my Outlook Web Access site, what do I do?
    Customers who have customized any of the ASP pages that are listed in the
    File Information section in this security bulletin should back up those
    files before they apply this update because these pages will be
    overwritten when the update is applied. Any customizations would then have
    to be reapplied to the new ASP pages. See Microsoft Knowledge Base Article
    327178 for the Microsoft support policy for the customization of Outlook
    Web Access.

    What does the update do?
    The update removes the vulnerability by modifying the way that Outlook Web
    Access validates input that is provided to an HTTP redirection query
    before it sends this input to the client.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly disclosed when this security bulletin was
    originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    ADDITIONAL INFORMATION

    The information has been provided by Microsoft Product Security.
    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-026.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-026.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Sygate Enforcer Discovery Packet DoS"

    Relevant Pages