[NEWS] Hotmail Cross Site Scripting Vulnerability (Malformed Tags)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/20/04

  • Next message: SecuriTeam: "[NEWS] Hotmail Cross-Site Scripting Vulnerability (IE gte)"
    To: list@securiteam.com
    Date: 20 Dec 2004 18:38:27 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Hotmail Cross Site Scripting Vulnerability (Malformed Tags)
    ------------------------------------------------------------------------

    SUMMARY

    Finjan has discovered a script injection vulnerability in Hotmail that
    allows a remote attacker to execute malicious scripts when the victim is
    reading his/her email, this is due to Hotmail's inability to process
    correctly malformed HTML tags and make the script embedded inside them
    useless.

    DETAILS

    Hotmail's mobile code filtering mechanism is based on an active content
    filter whose purpose is to block the injection of any active content into
    Hotmail messages. Hotmail's filter identifies any possibly malicious HTML
    tags, properties and elements, and then modifies them into a non-malicious
    code.

    When receiving an email, Hotmail's filtering engine analyzes and filters
    the HTML event properties inside the email s HTML tags. Hotmail's filter
    identifies the dangerous event properties and renames them to x +event,
    thereby alters their original functionality.

    For example:
    < img onmouseover=alert()></img>
    is renamed to:
    < img xonmouseover=alert()></img>

    While the filter analyzes the data, it does not inspect all content after
    the = and before the next property. This means that in the example above,
    the alert() code will not be inspected and filtered. This can be exploited
    by creating a malformed HTML tag which will fake a property and then
    execute an event property.

    The malformed request must have the following syntax:
    < [anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)] [event
    property]=[javascript]>

    For example:
    < img MCRC= onmouseover=alert()>

    All the data after the =[special char][space] tag is considered by
    Hotmail's filter to be the data inside the fake tag, and it is therefore
    not inspected. Internet browsers however, execute this as a valid code.

    ANY tag/object that supports HTML events can be used to remotely call a
    JavaScript file. The injected JavaScript code is responsible for:
     * Automatically launching malicious code
     * Stealing the victim s password by using a spoofed re-login window
     * Reading the victim s INBOX and contacts
     * Sending email messages without any user authorization

    Proof Of Concept:
    < img src= http://www.finjan.com/images/logo.gif MCRC= onmouseover=alert(
    Cross Site Scripting Javascript Injected! )>< img>

    Vulnerability Status:
    Vendor was notified on Sep 8th, 2004. The bug is now fixed.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:theinsider@012.net.il> Rafel
    Ivgi, The-Insider.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Hotmail Cross-Site Scripting Vulnerability (IE gte)"

    Relevant Pages

    • [NEWS] Cisco WSM URL Filtering Solution TCP ACL Bypass Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability exists in the Cisco Firewall Services Module ... The FWSM may be used in conjunction with a Websense Enterprise ... filter is also exempt from the inbound ACL inspection on any interface. ...
      (Securiteam)
    • [NEWS] Hotmail Cross-Site Scripting Vulnerability (IE gte)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Hotmail's filter identifies any possibly malicious HTML ... In order to bypass this protection, a comment tag can be added before the ... script as an HTML comment. ...
      (Securiteam)
    • [NT] Bypassing ZoneAlarm Pro Mobile Code
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Presented below is a method of bypassing the ZoneAlarm Pro "Mobile Code" ... For example the filter blocks out any ...
      (Securiteam)
    • [TOOL] PIRANA - Email Content Filters Exploitation Framework
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PIRANA - Email Content Filters Exploitation Framework ... By means of a vulnerability database, the content filter to be tested will ...
      (Securiteam)