The issue is that Outlook Web Access (OWA) which is a feature that allows external users to access a SharePoint site via a web browser, has an Active X control called OAuth ActiveX control which has a hardcoded password. This password is stored in the insecure Internet Explorer (IE) application. Although OWA is not an Edge application, it does support OAuth, and thus, an attacker can leverage the same attack chain to exploit the hardcoded password in the IE application.

Vulnerability Discovery and Exploitation

Vulnerability discovery and exploitation is the process of identifying a bug in software or hardware, as well as discovering a way to exploit that bug. In general, this means finding and then taking advantage of an unintended capability within the target software or hardware system. Vulnerabilities can be exploited by either a malicious attacker who intentionally causes the vulnerability to be used against another user (such as a hacker), or by a system administrator who has "authorized" access to the target software or hardware. Vulnerabilities can also exist because of intentional design decisions made by developers. Vulnerabilities discovered in software and hardware may be exploited for profit, espionage, sabotage, personal gain, revenge, criminal activities, demonstration of technical capabilities for research purposes and more.

Vulnerability overview:

An attacker can leverage a hardcoded password of "password" which is stored in the insecure Internet Explorer (IE) application. This password is used to authenticate an OAuth ActiveX control which allows access to SharePoint sites via OWA. Although OWA is not an Edge application, it does support OAuth and thus, this vulnerability could be exploited on a SharePoint site with Internet Explorer by leveraging the same attack chain.

Prerequisites and setup

The attacker must be able to access the SharePoint site. (They cannot reach it with a direct web-based attack.)
The attacker must also have access to the "C:Documents and Settings*All Users*Application Data*Microsoft Office*Outlook" folder on the victim's computer. This can be accomplished by running a browser-based exploit like an ActiveX Exploit or a URL based cross site scripting vulnerability on the SharePoint site. The OWA Web client application must not be blocked from accessing the SharePoint site.

Timeline

Published on: 02/09/2022 17:15:00 UTC
Last modified on: 02/14/2022 17:05:00 UTC

References