信息来源：rivgi_at_finjan.com

Hotmail Cross-Site Scripting Vulnerability
Next message: Rafel Ivgi: "Hotmail Cross Site Scripting Vulnerability #2"
Previous message: Joe Philipps: "Asante FM2008 10/100 Ethernet switch backdoor login"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--------------------------------------------------------------------------------

To: <bugs@securitytracker.com>, <Bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
Date: Fri, 15 Oct 2004 10:55:26 +0200


Finjan Security Advisory
=================
Hotmail Cross-Site Scripting Vulnerability #1



Introduction
------------
Finjan has discovered a script injection vulnerability in
Hotmail that allows a remote attacker to execute malicious
scripts when the victim is reading his/her mail.



Technical Description
---------------------
Hotmail抯 mobile code filtering mechanism is based on an active
content filter whose purpose is to block the injection of any
active content into Hotmail messages. Hotmail抯 filter identifies
any possibly malicious HTML tags, properties and elements,
and then modifies them into a non-malicious code.


When analyzing an HTML condition comment tag
(for example: ?lt;![if IE gte 4]>?, Hotmail抯 filter changes it to
a comment (e.g. ?lt;! [if IE gte 4]>?. A space character is added
after the ?? making the code inside the condition be treated as
a comment rather than as an executable. Any potentially malicious
code inside the condition is not altered.


For example:
<! [if IE gte 4]><style>@\im\port&#39;\ja\vasc\ript:alert()&#39;;</style>


In order to bypass this protection, a comment tag can be added before
the condition tag.


For example:
<!-- <![if IE gte 4]><style>@\im\port&#39;\ja\vasc\ript:alert()&#39;;</style>


At this stage the code is harmless since Internet browsers treat
this script as an HTML comment. However, a possible risk arises
when an HTML condition comment tag opener (?lt;!? is inserted at
the beginning of the code.


For example:
<! <!-- <![if IE gte 4]><style>@\im\port&#39;\ja\vasc\ript:alert()&#39;;</style>


Since Hotmail抯 HTML filter treats this code as a comment, it does
not filter out the script. In contrast, Internet browsers do not
treat this script as a comment, but rather execute the code inside
the condition tag. In this manner, any tag that supports style,
events or javascript execution can be used to remotely call a javascript
file.


The injected javascript code could be used for:
?Automatically launching malicious code
?Stealing the victim抯 password by using a spoofed re-login window
?Reading the victim抯 inbox and contacts
?Sending email messages without any user authorization.



The Code (Proof of Concept)
----------------------cut here-----------------------
<!
<!--
<![if IE gte 4]><style>@\im\port&#39;\ja\vasc\ript:alert()&#39;;</style>
----------------------cut here-----------------------



Vulnerability Status
--------------------
Vendor was notified on Sep 8th, 2004.
The bug is now fixed.



Credit
------
Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.



-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

To: <bugs@securitytracker.com>, <Bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
Date: Fri, 15 Oct 2004 12:49:27 +0200


Finjan Security Advisory
=================
Hotmail Cross Site Scripting Vulnerability #2



Introduction
------------
Finjan has discovered a script injection vulnerability in Hotmail
that allows a remote attacker to execute malicious scripts when
the victim is reading his/her email.



Technical Description
---------------------
Hotmail抯 mobile code filtering mechanism is based on an active
content filter whose purpose is to block the injection of any
active content into Hotmail messages. Hotmail抯 filter identifies
any possibly malicious HTML tags, properties and elements, and
then modifies them into a non-malicious code.


When receiving an email, Hotmail抯 filtering engine analyzes
and filters the HTML event properties inside the email抯 HTML
tags. Hotmail抯 filter identifies the 揹angerous?event properties
and renames them to 搙?event, thereby alters their original
functionality.


For example:
<img onmouseover=alert()></img>
is renamed to:
<img xonmouseover=alert()></img>


While the filter analyzes the data, it does not inspect all content
after the ??and before the next property. This means that in
the example above, the 揳lert()?code will not be inspected and
filtered. This can be exploited by creating a malformed HTML
tag which will 慺ake?a property and then execute an event property.


The malformed request must have the following syntax:
<[anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)]
[event property]=[javascript]>


For example:
------------
<img MCRC= onmouseover=alert()>


All the data after the ?[special char][space]?tag is considered
by Hotmail抯 filter to be the data inside the fake tag, and it
is therefore not inspected. Internet browsers however, execute
this as a valid code.


ANY tag/object that supports HTML events can be used to remotely
call a JavaScript file. The injected JavaScript code is responsible for:


?Automatically launching malicious code
?Stealing the victim抯 password by using a spoofed re-login window
?Reading the victim抯 inbox and contacts
?Sending email messages without any user authorization



The Code (Proof Of Concept)
----------------------cut here-----------------------
<img src=?a href="http://www.finjan.com/images/log ... ges/logo.gif?/a> MCRC=
onmouseover=alert(慍ross Site Scripting ?Javascript Injected!?><img>
----------------------cut here-----------------------



Vulnerability Status
--------------------
Vendor was notified on Sep 8th, 2004.
The bug is now fixed.



Credit
------
Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.



-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)