OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: WhiteHat Labs (infowhitehatsec.com)
Date: Sun Dec 09 2001 - 13:13:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    WhiteHat Security, Inc.
    Security Advisory [Number: 12082001-1]
    Copyright 2001 WhiteHat Security, Inc.

    ===================================================
    = Microsoft Exchange 5.5
    Outlook Web Access Cross-Site Scripting Vulnerability
    = Advisory Release Date: Dec. 09, 2001

    WhiteHat Security advised the Microsoft Security Response Center of this

    issue on October 10th, 2001. Microsoft provided a patch issued on
    December 6, 2001.

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-057.asp

    This document can be obtained from:
    http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-12082001-1.txt

    http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-12082001-1.html

    [Systems Affected]

    Microsoft Exchange 5.5 running Outlook Web Access

    [Systems Not Affected]

    Microsoft Exchange 5.5 not running Outlook Web Access
    Microsoft Exchange 2000

    [Vulnerability Description]

    There is a Cross-Site Scripting vulnerability within Microsoft Exchange
    5.5 which carries potentially detrimental security implications specific
    to
    the functionality of Outlook Web Access. This vulnerability is unique
    among other CSS/WebMail security issues due to its ability to bypass
    security measures instituted by previous patches. This vulnerability
    should be considered potentially more dangerous because Exchange 5.5
    may reside inside of corporate firewalls where increased access could
    be attained.

    The dangers of Cross-Site Scripting vulnerabilities are well
    established. Further information on the subject can be obtained from:

    http://www.owasp.org/projects/asac/owasp-iv-css-1.shtml

    For more information on general web application security issues:
    http://www.owasp.org

    [Vulnerability Analysis]

    This Cross-Site Scripting issue exists by Exchange 5.5 allowing
    improperly filtered HTML email to be delivered and read by a user
    within Outlook Web Access. A malicious user is capable of sending
    a specially crafted email sent to a target user(s) containing an
    auto-executing Cross-Site Scripted payload.

    This payload may perform a variety of malicious operations such as
    disclosure of stored email messages, unauthorized internal network
    access, session-hijacking, confidential information exposure,
    browser hijacking, etc.

    The location of Exchange 5.5 and this specific vulnerability make it
    potentially more serious than previous vulnerabilities. Typically,
    Exchange 5.5 exists within an internal corporate LAN
    environment (behind protective firewalls), thus granting an Outlook
    Web Access exploit much of the same

    access as the MS Outlook email client. Furthermore the exploit could
    target the user's machine itself, gaining control directly through a
    web browser.

    In all of the previous scenarios, this vulnerability may allow the
    isolated targeting of individual users, companies or networks
    without the need of a constant network connection to the intended
    target.

    [Solutions]

    For Microsoft Exchange 5.5 users are not currently utilizing Outlook Web

    Access, WhiteHat recommends deactivating the unused service and
    installing the recommended patch.

    For those using Outlook Web Access, installing the patch is highly
    recommended.

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-057.asp

    WhiteHat Security has not thoroughly tested the approved patch.

    [Authors]

    Lex Arquette

    [Credits]

    WhiteHat Security would like to thank Scott Culp of the Microsoft
    Security Response Center and he Exchange Server team for their
    continued diligent efforts.

    [WhiteHat Security Contact Information]

    http://www.whitehatsec.com
    infowhitehatsec.com

    ______________________________________________________________________
    Warranties and Disclaimers
    INFORMATION ON THIS DOCUMENT IS PROVIDED TO YOU "AS IS" WITHOUT
    WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
    BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
    FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT. WHITEHAT
    SECURITIES, INC. DOES NOT REPRESENT OR WARRANT THE INFORMATION
    ACCESSIBLE VIA THIS DOCUMENT IS ACCURATE, COMPLETE OR CURRENT.

    IN NO EVENT SHALL WHITEHAT SECURITIES, INC. OR ANY OF ITS
    DIRECTORS, EMPLOYEES OR OTHER REPRESENTATIVES BE LIABLE FOR
    ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF
    ANY KIND INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM
    LOSS OF DATA, INCOME, PROFIT, AND ON AY THEORY OF LIABILITY,
    ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
    THIS DOCUMENT.

    THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR
    TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE
    INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW
    EDITIONS OF THIS DOCUMENT. WHITEHAT SECURITIES, INC. MAY MAKE
    IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR
    PROGRAM(S) DESCRIBED IN THIS WEB SITE AT ANY TIME. March 30, 2001
    ______________________________________________________________________