A security vulnerability in Microsoft Exchange has been discovered that allows attackers to cause the server to return the cookie information inside the HTML response.
The information about how to fix this vulnerability has been disclosed here:
Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250)
However, until now we have not seen any technical description of the vulnerability or how to verify whether you are or not vulnerable without checking for the patch’s existence.
We believe, we cannot be 100% sure, that this vulnerability has been addressed in Microsoft’s patch for CVE-2015-2505.
We were in the process of purchasing this vulnerability for our SecuriTeam Secure Disclosure program, when this advisory came out. So we decided to go ahead and release the information after giving Microsoft’s customers a grace period to deploy this patch.
The vulnerability occurs when using a malformed request which triggers from the IIS Server a “500 Internal Server Error”.
The triggering data is a simple malformed request such as /owa/service.svc/AAAA. This would cause the IIS server to dump a lot of debug data back to the user, which includes HTTP server headers, as well as the HTTP cookie.
You can obtain the cookie through use of a XMLHTTPRequest and an HTTP request sent to the affected OWA server: