[CSO10002] Attachment path traversal in Outlook Web Access

From: Ricardo Martins - Chief Security Officers <ricardo.martins@cso.pt>
To: bugtraq@securityfocus.com
Cc:
Subject: [CSO10002] Attachment path traversal in Outlook Web Access
Date:


This trick is mostly useful but can also be used for wrong purposes. Since it is so simple, it’s probably already known for some people.

If someone sends you a file through OWA but the file is blocked by a policy, this is what you can do:

1-Install firefox
2-Access your email and attachment with the following rule:

http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email subject>.EML/<attachment filename>

E.g.:
http://webmail.example.com/Exchange/myusername/Inbox/virus.EML/virus.zip

The best way is to try in following order:

1- http://<hostname>/<OWA directory>/<mail box username>/Inbox – you see all your emails
2- http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email subject>.EML – you see only your email with the blocked files
3- http://<hostname>/<OWA directory>/<mail box username>/Inbox/<email subject>.EML/<attachment filename> – you download the file

The actual address could be different for a couple of reasons. Try to check the attachment URL and use it like shown above.

This can also be exploited through a malicious email with a link inside pointing to the malware directly.

Server environment: Exchange/ OWA 2003 6.5.76*
Client environment: firefox 3.0.15

Ricardo Martins
CISA, ISO 27001/20000 LA
Compliance & Consulting Manager
 
Tel: +351 210 111 616     Fax: +351 210 111 618     www.cso.pt     info@cso.pt 
 
______________________________
 
Chief Security Officers, SA.
Edificio Infante D. Henrique
Rua João Chagas, 53 - 1º Esq.
1495-764 Dafundo
Portugal
 
empresa do grupo
Art of Knowledge
 
  Pense no Ambiente antes de imprimir / Consider the Environment before printing
 





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.