|
|
|
|
| |
| Hotmail is one of the world's largest providers of free, Web-based e-mail. Hotmail contains a XSS vulnerability that allows attackers to hijack another user session, and access to her/his mailbox and other MSN services. Unlike most XSS attacks, which require a user to click on a tainted link, exploitation in this case only requires a Hotmail user to view a malicious e-mail. Sending the e-mail from a forged e-mail address affords a greater chance for successful exploitation. |
| |
Credit:
The original advisory could be found here: http://ce.aut.ac.ir/~niksefat/Hotmail/Hotmail-xss-report.html.
The information has been provided by Salman Niksefat.
|
| |
By sending the following HTML content, it is possible to bypass Hotmail security filters and run JavaScript code on the client browser:
<xmp><IMG src='test.gif&</xmp><IMG onerror=alert(document.cookie) src='><IMG src='><IMG src='test.gif&''''>
Analysis:
The idea behind the above HTML code is <XMP> and the single quotes. Any HTML elements between <xmp> tags are just printed to screen and ignored by browser, so the first single quote is ignored by the browser, but Hotmail filter thinks it's a valid single quote for some kind of value. Therefore, Hotmail filter ignores the part of code between the first and second quote, but the client browser acts differently and run the JavaScript code.
Running JavaScript code gives the attacker the ability to steal the user cookie. Once a user's Hotmail cookie has been stolen, an attacker has the ability to gain full control over the user's account until the user logs out or the session times out. (Hotmail's default setting is to never timeout). During that time, an attacker could read, remove, and store all e-mails, as well as send e-mails from the compromised account.
The ability to execute arbitrary Hotmail actions allows an attacker to set any option that the targeted user could normally set under the Options menu. This includes redirecting all e-mail to the deleted folder and modifying the user's name or e-mail signature.
Exploit:
In the lab we've developed a working exploit which downloads the Hotmail INBOX of a user once he/she opens our email. A sample exploit is available online. It just runs a very simple code of JavaScript once you open the email: http://ce.aut.ac.ir/~niksefat/Hotmail/Hotmail-xss-test.php
Vendor status:
Microsoft has been contacted and has fixed the vulnerability on October 17, 2003.
|
|
|
|
|
|
|
|
|
|
