{"id":758,"date":"2014-08-01T18:42:37","date_gmt":"2014-08-01T18:42:37","guid":{"rendered":"http:\/\/h.foofus.net\/?p=758"},"modified":"2014-08-03T16:33:22","modified_gmt":"2014-08-03T16:33:22","slug":"exchange-multiple-internal-ip-disclosures","status":"publish","type":"post","link":"http:\/\/h.foofus.net\/?p=758","title":{"rendered":"Exchange Multiple Internal IP Disclosures"},"content":{"rendered":"

—————————————————————————————————————————————-
\n1. Summary<\/p>\n

Multiple issues have been discovered that make it possible to disclose internal IP addresses of remote Microsoft Exchange environments. This includes internal addresses of the Client Access Server (CAS) which hosts services such as Outlook Web App (OWA) and Autodiscover. This also includes internal addresses of the proxy or gateways processing requests for the OWA.<\/p>\n

—————————————————————————————————————————————-
\n2. Description<\/p>\n

Attack #1 – OWA \/ Autodiscover<\/p>\n

When sending a crafted GET requests to the web server with empty host header and using the HTTP protocol version 1.0(HTTP\/1.0), the internal IP addresses of the under lying system is revealed in the header response. This flaw is believed to be an IIS issue and has been found in Microsoft Exchange systems such as Outlook Web App (OWA) and the Client Access Server (CAS). The flaw has been seen in Basic Authentication response headers on a 401 web server status and the Location headers on a 302 web server status. It\u2019s possible this flaw exists in other products that run on IIS. An example of normal behavior can be seen when performing a HTTP\/1.1 request to a protected page such as:<\/p>\n

“https:\/\/autodiscover.example.com\/Autodiscover\/Autodiscover.xml”<\/p>\n

The Basic Authentication HTTP header response normally reveals a public facing IP address or hostname of:<\/p>\n

WWW-Authenticate: Basic realm=”autodiscover.example.com”<\/p>\n

A proof of concept example can be seen below in Figure 1. All the vulnerable IIS paths discovered and there affected product versions can be seen in Table 1. Note that some of the file paths disclosed are vulnerable if default settings have not been changed. Some of the paths have been found vulnerable based on system administrator changes.<\/p>\n

TABLE 1\u2014VULNERABLE PATHS
\n\"exchange_internal_ip_table1\"<\/a><\/p>\n

FIGURE 1\u2014BASIC AUTH HEADER REVEALS INTERNAL IP ADDRESS<\/p>\n

$ openssl s_client -host autodiscover.example.com -port 443<\/p>\n

—SNIP—
\nGET \/Autodiscover\/Autodiscover.xml HTTP\/1.0
\nHTTP\/1.1 401 Unauthorized
\nCache-Control: private
\nContent-Type: text\/html
\nServer: Microsoft-IIS\/7.5
\nX-SOAP-Enabled: True
\nX-WSSecurity-Enabled: True
\nX-WSSecurity-For: None
\nX-AspNet-Version: 2.0.50727
\nWWW-Authenticate: Negotiate
\nWWW-Authenticate: NTLM
\nWWW-Authenticate: Basic realm=”10.1.1.10″
\nX-Powered-By: ASP.NET
\n—SNIP—<\/p>\n

Attack #2 – Reverse Proxy \/ Gateway<\/p>\n

It has been shown in OWA 2007 and 2010, that it\u2019s possible to reveal the internal IP address of the reverse proxy or gateway processing requests for OWA. Such proxies or gateways include Forefront TMG 2010. This attack can be performed using a web browser. When attempting to trigger ASP.NET debug and making a GET request to the OWA path “\/owa\/auth\/trace.axd”. The OWA throws a server side exception with a web server status of 403. The verbose error reveals the internal IP address of the proxy or gateway. Example output can be seen below in Figure 2.<\/p>\n

FIGURE 2\u2014REVERSE PROXY\/GATEWAY INTERNAL IP DISCLOSED<\/p>\n

An error occurred and your request couldn’t be completed. If the problem continues, contact your helpdesk with this HTTP Status code: 403.<\/p>\n

Request
\nUrl: https:\/\/mail.example.com\/owa\/auth\/trace.axd
\nUser host address: 10.1.1.1
\nOWA version: 14.2.318.3<\/p>\n

—————————————————————————————————————————————-
\n3. Impact<\/p>\n

Allow an attacker to gather information about the internal network.<\/p>\n

—————————————————————————————————————————————-
\n4. Affected Products<\/p>\n

Microsoft Exchange CAS 2013
\nMicrosoft Exchange CAS 2010
\nMicrosoft Exchange CAS 2010\/Forefront TMG 2010
\nMicrosoft Exchange CAS 2007
\nMicrosoft Exchange OWA 2003<\/p>\n

—————————————————————————————————————————————-
\n5. Solution<\/p>\n

Only attack two is fixed in current versions. Apply the latest supplied vendor patches.<\/p>\n

—————————————————————————————————————————————-
\n6. Time Line<\/p>\n

12\/17\/2012 Reported Vulnerability to the Vendor
\n01\/03\/2013 Vendor Confirmed the Vulnerability
\n08\/01\/2014 Publicly Disclosed<\/p>\n

—————————————————————————————————————————————-
\n7. Credits<\/p>\n

Discovered by Nate Power<\/p>\n

—————————————————————————————————————————————-<\/p>\n","protected":false},"excerpt":{"rendered":"

—————————————————————————————————————————————- 1. Summary Multiple issues have been discovered that make it possible to disclose internal IP addresses of remote Microsoft Exchange environments. This includes internal addresses of the Client Access Server (CAS) which hosts services such as Outlook Web App (OWA) and Autodiscover. This also includes internal addresses of the proxy or gateways processing requests […]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-758","post","type-post","status-publish","format-standard","hentry","category-advisories"],"_links":{"self":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/posts\/758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=758"}],"version-history":[{"count":10,"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/posts\/758\/revisions"}],"predecessor-version":[{"id":813,"href":"http:\/\/h.foofus.net\/index.php?rest_route=\/wp\/v2\/posts\/758\/revisions\/813"}],"wp:attachment":[{"href":"http:\/\/h.foofus.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=758"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/h.foofus.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}