Hotmail Cross Site Scripting Vulnerability (Malformed Tags)
20 Dec. 2004
Summary
Finjan has discovered a script injection vulnerability in Hotmail that allows a remote attacker to execute malicious scripts when the victim is reading his/her email, this is due to Hotmail's inability to process correctly malformed HTML tags and make the script embedded inside them useless.
Hotmail's mobile code filtering mechanism is based on an active content filter whose purpose is to block the injection of any active content into Hotmail messages. Hotmail's filter identifies any possibly malicious HTML tags, properties and elements, and then modifies them into a non-malicious code.
When receiving an email, Hotmail's filtering engine analyzes and filters the HTML event properties inside the email s HTML tags. Hotmail's filter identifies the dangerous event properties and renames them to x +event, thereby alters their original functionality.
For example:
< img onmouseover=alert()></img>
is renamed to:
< img xonmouseover=alert()></img>
While the filter analyzes the data, it does not inspect all content after the = and before the next property. This means that in the example above, the alert() code will not be inspected and filtered. This can be exploited by creating a malformed HTML tag which will fake a property and then execute an event property.
The malformed request must have the following syntax:
< [anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)] [event property]=[javascript]>
For example:
< img MCRC= onmouseover=alert()>
All the data after the =[special char][space] tag is considered by Hotmail's filter to be the data inside the fake tag, and it is therefore not inspected. Internet browsers however, execute this as a valid code.
ANY tag/object that supports HTML events can be used to remotely call a JavaScript file. The injected JavaScript code is responsible for:
* Automatically launching malicious code
* Stealing the victim s password by using a spoofed re-login window
* Reading the victim s INBOX and contacts
* Sending email messages without any user authorization
Proof Of Concept: < img src= http://www.finjan.com/images/logo.gif MCRC= onmouseover=alert( Cross Site Scripting Javascript Injected! )>< img>
Vulnerability Status:
Vendor was notified on Sep 8th, 2004. The bug is now fixed.
