Comments on: Owning Outlook Web Access (OWA) users

By: Nitin Kushwaha

Nitin Kushwaha — Thu, 08 Dec 2011 19:02:15 +0000

Hey Adrian,

I would like to know if any other exploits in EX2k3 OWA with SP2. running on MS W2k3 Sp2. The problem i am facing is the company had implemented the fix for URL redirection: something like, making a copy of OWALogon.asp, then say Re-directing the base URL for OWA to itself.

any clues??

By: sillentbot007

sillentbot007 — Thu, 09 Dec 2010 17:54:56 +0000

Is this method still effective anyone?

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Tue, 09 Sep 2008 22:53:07 +0000

Just tested this attack again successfully on a OWA 2K3 installation during a pentest. It’s good to see it still works!

However, I would like to know why it doesn’t work on all OWA 2K3 installations. Reading our readers’ comments on this post shows that the exploit doesn’t seem to work for everyone. Perhaps there is something configuration-specific that would make this attack not work?

By: chrisb

chrisb — Wed, 07 May 2008 10:36:13 +0000

Hi, Im in quite slow, but explain the get-credentials.php file please. Must I still write this and host it on my website?

By: Jan

Jan — Mon, 07 Apr 2008 17:33:31 +0000

Ok I have been playing with this all morning and I am stuck.

The server used is OWA2003. I have tried sending it to myself from my private mail doing it a few different ways. Not exactly sure what I am doing wrong. Not sure if it is because I am at home and logging into the OWA from here remotely. Would you be willing to help me out with this? After the victim enters the cred where do I view them at, I post the url, but just get the sign in sheet.

Any help would be very appreciated. I am a bit new to this, but love the challange. Just stuck

By: Adrian Pastor

Adrian Pastor — Thu, 10 Jan 2008 22:53:19 +0000

Hey Mike. I just read most of the paper and love it. Very simple yet effective technique. These are the kind of hacks I really love!

By: Mike

Mike — Sat, 05 Jan 2008 22:31:03 +0000

Very cool hack! I’m not surprised that Microsoft doesn’t take it seriously. I think this flaw can be made even more serious by using flash and the crossdomain.xml file as described in this hack presented at Defcon 15: http://www.defcon.org/images/d.....ios-WP.pdf

By: Adrian Pastor

Adrian Pastor — Tue, 18 Dec 2007 21:49:34 +0000

Hi Raffi, this is the same result we got on 3 different OWA installations. Glad to hear to find this attack as neat as we do!

By: hackathology

hackathology — Tue, 18 Dec 2007 14:42:19 +0000

pretty interesting discovery. Too bad, i cant test it.

By: pdp

pdp — Mon, 17 Dec 2007 13:32:01 +0000

this is exactly what we thought :)

By: Raffi

Raffi — Mon, 17 Dec 2007 13:29:50 +0000

I tested on a client’s OWA server and removed the UID. pretty scary. If you don’t have your status line in view, and looked there, you wouldn’t notice that the logon button points to someplace else. holy spear phishing batman

By: Adrian Pastor

Adrian Pastor — Sat, 15 Dec 2007 13:40:56 +0000

@Matt – perhaps you don’t even need “1_multipart_xF8FF_2_” in your case? Best thing is just post the original path of a URL that accesses an attachment, and we’ll show you what to do. Anyway, we’ll be in touch via email.

By: Matt

Matt — Wed, 12 Dec 2007 20:05:45 +0000

Thanks, Adrian. I have all the screen shots ready. I have confirmed that our OWA and Exchange servers in prod are 2003.

Another thing that I have noticed though is that none of my URLs have the “1_multipart_xF8FF_2_” at the beginning of attached file names. Could this be an issue?

P.S. I have tried the URL with this string in front of the attachment name,m but to no avail.

By: Adrian Pastor

Adrian Pastor — Wed, 12 Dec 2007 14:45:59 +0000

@Matt – If you paste the real URL (with domain name hidden for privacy) I should be able to reconstruct the exploit URL. One thing I’m thinking of is that the inbox folder’s name has been customized. In that case you need to use the customized value.

I’ll contact you to see the screenshots. Can’t understand why you get the authentication prompt after you have logged in. What’s described on this post has been tested on 3 different OWA2K3 installations with no problem. It’d be quite useful if other GC readers tested it on their installations.

By: Matt

Matt — Tue, 11 Dec 2007 14:49:37 +0000

@Adrian – Yes the error is returned when accessing the specially crafted URL. The process is that I get the normal Basic Auth pop-up to enter credentials, enter my valid credentials, and then I get another older looking login page. (Can send you screen shots if interested). Then after entering my creds on this new page (and verifying that the url has not changed and I am still on my companies OWA site), I get the owaauth.dll error.

Let me know if you want screenshots for your review.

By: Adrian Pastor

Adrian Pastor — Tue, 11 Dec 2007 11:42:16 +0000

@djteller – thanks for such kind comment!

@Matt – if the hex string is NOT not a unique variable, but rather a constant, then crafting the exploit URL would become even easier. I’m not sure what you mean by the error. Is this an error generated when accessing the specially-crafted URL?

@maotx – it’d be cool to make it work on OWA2K7 as well. Unfortunately, I don’t have access to a OWA2K7 installation to find out if there is a way to replicate this phishing attack.

By: pdp

pdp — Mon, 10 Dec 2007 23:29:32 +0000

content disposition attachment can be forced to open inside object elements in some browsers

By: maotx

maotx — Mon, 10 Dec 2007 22:54:43 +0000

Does not work with Exchange 2007. OWA requires .html attached files be saved to disk first.

By: Matt

Matt — Mon, 10 Dec 2007 16:43:32 +0000

Just thought I would add a note about the long hex-style string. When I tested this on my corporate OWA installation, I got the exact same string as in your post. I also tested with two other colleagues and they also received the same string.

Although our installation generates an error on the server from owaauth.dll, just thought I would alert you to the string issue.

By: OWA Fishing attack | Stop ID Thieves

OWA Fishing attack | Stop ID Thieves — Mon, 10 Dec 2007 16:20:23 +0000

[...] I just love Gnucitizen – this time Adrian Pastor explains how to use an Outlook Web Access design flaw to create a phishing attack.Â [...]