[VulnWatch] Hotmail Cross Site Scripting Vulnerability #2

From: Rafel Ivgi (rivgi_at_finjan.com)
Date: 10/15/04

  • Next message: Brad Zimmerman: "[VulnWatch] Veritas BackupExec Agent vulnerability"
    To: <bugs@securitytracker.com>, <Bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Fri, 15 Oct 2004 12:49:27 +0200
    
    

    Finjan Security Advisory
    =================
    Hotmail Cross Site Scripting Vulnerability #2

    Introduction
    ------------
    Finjan has discovered a script injection vulnerability in Hotmail
    that allows a remote attacker to execute malicious scripts when
    the victim is reading his/her email.

    Technical Description
    ---------------------
    Hotmail’s mobile code filtering mechanism is based on an active
    content filter whose purpose is to block the injection of any
    active content into Hotmail messages. Hotmail’s filter identifies
    any possibly malicious HTML tags, properties and elements, and
    then modifies them into a non-malicious code.

    When receiving an email, Hotmail’s filtering engine analyzes
    and filters the HTML event properties inside the email’s HTML
    tags. Hotmail’s filter identifies the “dangerous” event properties
    and renames them to “x”+event, thereby alters their original
    functionality.

    For example:
    <img onmouseover=alert()></img>
    is renamed to:
    <img xonmouseover=alert()></img>

    While the filter analyzes the data, it does not inspect all content
    after the “=” and before the next property. This means that in
    the example above, the “alert()” code will not be inspected and
    filtered. This can be exploited by creating a malformed HTML
    tag which will ‘fake’ a property and then execute an event property.

    The malformed request must have the following syntax:
    <[anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)]
     [event property]=[javascript]>

    For example:
    ------------
    <img MCRC= onmouseover=alert()>

    All the data after the “=[special char][space]” tag is considered
    by Hotmail’s filter to be the data inside the fake tag, and it
    is therefore not inspected. Internet browsers however, execute
    this as a valid code.

    ANY tag/object that supports HTML events can be used to remotely
    call a JavaScript file. The injected JavaScript code is responsible for:

    • Automatically launching malicious code
    • Stealing the victim’s password by using a spoofed re-login window
    • Reading the victim’s inbox and contacts
    • Sending email messages without any user authorization

    The Code (Proof Of Concept)
    ----------------------cut here-----------------------
    <img src=”http://www.finjan.com/images/logo.gif” MCRC=
    onmouseover=alert(‘Cross Site Scripting – Javascript Injected!’)><img>
    ----------------------cut here-----------------------

    Vulnerability Status
    --------------------
    Vendor was notified on Sep 8th, 2004.
    The bug is now fixed.

    Credit
    ------
    Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.

    -----------------------------------------------
    This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)


  • Next message: Brad Zimmerman: "[VulnWatch] Veritas BackupExec Agent vulnerability"

    Relevant Pages

    • [Full-Disclosure] Hotmail Cross-Site Scripting Vulnerability #2
      ... Hotmail Cross Site Scripting Vulnerability ... Finjan has discovered a script injection vulnerability in Hotmail ... Hotmail’s filter identifies ... and filters the HTML event properties inside the email’s HTML ...
      (Full-Disclosure)
    • Hotmail Cross Site Scripting Vulnerability #2
      ... Finjan has discovered a script injection vulnerability in Hotmail ... Hotmail’s filter identifies ... and filters the HTML event properties inside the email’s HTML ... onmouseover=alert(‘Cross Site Scripting – Javascript Injected!’)> ...
      (Bugtraq)
    • [VulnWatch] Hotmail Cross Site Scripting Vulnerability #2
      ... Finjan has discovered a script injection vulnerability in Hotmail ... Hotmail’s filter identifies ... and filters the HTML event properties inside the email’s HTML ... onmouseover=alert(‘Cross Site Scripting – Javascript Injected!’)> ...
      (Full-Disclosure)
    • Hotmail Cross Site Scripting Vulnerability #2
      ... Finjan has discovered a script injection vulnerability in Hotmail ... Hotmail’s filter identifies ... and filters the HTML event properties inside the email’s HTML ... onmouseover=alert(‘Cross Site Scripting – Javascript Injected!’)> ...
      (Full-Disclosure)