Owning Outlook Web Access (OWA) users

What is this post about? Well, this is something that pdp and I were playing with a few years ago. As you might already know, although we also do a vulnerability research at GNUCITIZEN, what we like the best is insecurity by design. There is nothing better than finding an attack vector that won't be resolved by the vendor simply because the product is designed to follow certain behavior. Personally, from a security research point of view, I think that these attacks are the best.

In this case, we forwarded our ideas along with an attack walk-through to Microsoft but they didn't consider it an issue. "Even better!" I thought, as it's one of those things that will always work on Outlook Web Access 2003 which means that you could always flag it when doing an authenticated pentest on a OWA site. The following describes how to perform advanced phishing attacks on OWA 2K3 (might also work on older versions) without relying on any bugs.

The following is the recipe for our attack. Needless to say, if any other webmail product meets the following conditions, its users can be owned in the same manner:

Let me explain with more detail. When a user checks an email and clicks on the attachment, a URL such as the following is visited:

https://victim-domain.foo/exchange/pgriffin/Inbox/HELLO%20THERE.EML/1_multipart_xF8FF_2_cool-file.html/C58EA28C-18C0-4a97-9AF2-036E93DDAFB3/cool-file.html?attach=1

At first look, the URL looks non-predictable, especially when it comes to the unique long hexadecimal string. Surprisingly though, we can get rid of the hex string and the attach parameter, and still be able to access the file sent as an attachment:

https://victim-domain.foo/exchange/pgriffin/Inbox/HELLO%20THERE.EML/1_multipart_xF8FF_2_cool-file.html

> I think that the hex string is the UID value which is unique to each user, however, I have not confirmed this yet.

A more careful look at the URL reveals that all the variables can actually be predicted by the attacker:

https://victim-domain.foo/exchange/<username>/Inbox/<email-subject>.EML/1_multipart_xF8FF_2_<attachment-filename.extension>

Let's review these variables for a second:

Please find the POC attached to this post.