[NEWS] New XSS Vulnerability in Microsoft Hotmail Allows Access to Mailboxes (XMP)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03

  • Next message: SecuriTeam: "[UNIX] File Inclusion Vulnerability in cpCommerce" 
    To: list@securiteam.com
Date: 19 Oct 2003 12:58:38 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      New XSS Vulnerability in Microsoft Hotmail Allows Access to Mailboxes
    (XMP)
    ------------------------------------------------------------------------

    SUMMARY

    Hotmail is one of the world's largest providers of free, Web-based e-mail.
    Hotmail contains a XSS vulnerability that allows attackers to hijack
    another user session, and access to her/his mailbox and other MSN
    services. Unlike most XSS attacks, which require a user to click on a
    tainted link, exploitation in this case only requires a Hotmail user to
    view a malicious e-mail. Sending the e-mail from a forged e-mail address
    affords a greater chance for successful exploitation.

    DETAILS

    By sending the following HTML content, it is possible to bypass Hotmail
    security filters and run JavaScript code on the client browser:
    <xmp><IMG src='test.gif&</xmp><IMG onerror=alert(document.cookie)
    src='><IMG src='><IMG src='test.gif&''''>

    Analysis:
    The idea behind the above HTML code is <XMP> and the single quotes. Any
    HTML elements between <xmp> tags are just printed to screen and ignored by
    browser, so the first single quote is ignored by the browser, but Hotmail
    filter thinks it's a valid single quote for some kind of value. Therefore,
    Hotmail filter ignores the part of code between the first and second
    quote, but the client browser acts differently and run the JavaScript
    code.

    Running JavaScript code gives the attacker the ability to steal the user
    cookie. Once a user's Hotmail cookie has been stolen, an attacker has the
    ability to gain full control over the user's account until the user logs
    out or the session times out. (Hotmail's default setting is to never
    timeout). During that time, an attacker could read, remove, and store all
    e-mails, as well as send e-mails from the compromised account.

    The ability to execute arbitrary Hotmail actions allows an attacker to set
    any option that the targeted user could normally set under the Options
    menu. This includes redirecting all e-mail to the deleted folder and
    modifying the user's name or e-mail signature.

    Exploit:
    In the lab we've developed a working exploit which downloads the Hotmail
    INBOX of a user once he/she opens our email. A sample exploit is available
    online. It just runs a very simple code of JavaScript once you open the
    email: <http://ce.aut.ac.ir/~niksefat/Hotmail/Hotmail-xss-test.php>
    http://ce.aut.ac.ir/~niksefat/Hotmail/Hotmail-xss-test.php

    Vendor status:
    Microsoft has been contacted and has fixed the vulnerability on October
    17, 2003.

    ADDITIONAL INFORMATION

    The original advisory could be found here:
    <http://ce.aut.ac.ir/~niksefat/Hotmail/Hotmail-xss-report.html>
    http://ce.aut.ac.ir/~niksefat/Hotmail/Hotmail-xss-report.html.

    The information has been provided by <mailto:niksefat@ce.aut.ac.ir>
    Salman Niksefat.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] File Inclusion Vulnerability in cpCommerce"

    Relevant Pages