After receiving a recent submission affecting OWA 2007, we have been eyeing a proper environment to test it out. With Exchange 2007 installed on Windows Server 2008 and OWA in place, we started our trusted bt4 webserver and put the malicious html file there. For good measure we decided to attack a logged-in OWA user on a Windows 7 machine.
It is worth remembering that since this is a CSRF type of exploit, we would need to convince the target user to visit our malicious html page by some other means (encoded URL link in an email, etc.).
With all that said, the exploit is straight forward. As soon as the target user visits the proper webpage, the hidden form executes and a forwarding rule is created without drawing too much attention.
The attacker could certainly try to hide any visible elements on the page and invoke the submission of the hidden form data through a simple javascript without any user involvement. However, it may be more creative and successful to design a very official looking html page without any requests for personal data (a la phishing style) and thereby convince the victim to invoke the exploit.
Finally, shoud the victim open and process the attacking webpage without being logged in to OWA, a simple 440 Login Timeout from the OWA server appears…no harm done. Check out the Outlook Web Access 2007 CSRF Exploit and the Outlook Web Access 2007 CSRF Verification Movie.