Fun With MSN Chat Part I (Cross Scripting)

[John Heasman <john.heasman () univ ox ac uk>]

Hi. Seeing as there has been a recent discussion 
about cross scripting on high profile sites, I thought it 
timely to release details of cross script opportunities 
on MSN's chat service.

[Introduction]

MSN Chat is an IRCX network with a web based 
client (an ActiveX control). Cross scripting has been 
discussed at length elsewhere so I won't describe it 
here.  MSN have been notified about this advisory.

[Details]

Here are two cross scripting situations.  Unicode is 
used to pass certain characters; converting the 
whole cross script part to unicode further obfuscates 
the URL making it easier to trick a user into clicking it.

http://chat.msn.com/chatroom.msnw?rm=%
3Cscript%3Ealert(document.cookie)%3B%3C%
2Fscript%3E

Note: A URL similar to the one above may be 
obtained by using the form on 
http://chat.msn.com/create.msnw to create a room.  
The form provides some basic client-side validation 
to check for illegal characters (< and >). This 
advisory goes to show the client-side checking has 
very little purpose (IMHO).

http://chat.msn.com/invite.msnw?hexUserName=%
3Cscript%3Ealert(document.cookie)%3B%3C%5c%
2Fscript%
3E&hexnick=AAAAA&InvitationCode=123456789&mo
de=2

Note: As this string appears in quotes I have had to 
escape the / in script tag.

The implication of the two URLs above is that 
passport cookies in the msn.com domain can be 
stolen by tricking a user into visiting a malicious 
webpage.  This can be achieved easily since the 
MSN chat control conveniently creates a clickable link 
when it detects the string http://.  

The first URL has a limit on the number of characters 
that can be present in the cross script, since it 
represents the name of a chat room the victim 
supposedly wishes to join.  The chat control will 
throw an error about illegal characters in the chat 
room name if the page is allowed to load fully (better 
to put a window.location="about::"; at the end of the 
cross script if you have room). The second URL has 
no such limitation.

Let us now discuss the implications for MSN Chat.  
The above URLs enable an attacker to impersonate 
another user on the chat service and alter his/her 
nickname and profile.  The three cookies that are of 
interest are:

MSPProf (Profile information)
MSPAuth (Authentication information)
MSNChatNN (Nickname)

It is possible for an attacker only to use the victim's 
MSNChatNN, thus stealing his nickname, but not his 
identity as such.  Some chat room operators use non-
MSN clients to allow use of more advanced IRCX 
commands e.g. ACCESS command to auto-host 
depending on nickname/identity etc. Obviously this is 
not a good idea in light of this bug.

[About Cross Scripting in general]

I would agree with earlier postings about the extent of 
cross scripting vulnerabilities.  I visited a number of 
UK retailer's websites and I would say that 80 - 90% 
were vulnerable to cross scripting.  I was (am?) 
planning to release a list or attempt to contact site 
admins to inform them.  This got me thinking about 
automating detection of cross scripting 
vulnerabilities - at the basic level, scanning a page for 
any forms, returning the form with some arbitrary 
input then scanning the returned page for that same 
input.  Of course this is largely simplified but it is an 
interesting idea.  If anyone is interested in discussing 
this, please get in contact.

[The Obligatory Greetings]

.ox ppl I know & the boyz@103   :)


Thanks

John

-------------------------------------------
john.heasman () univ ox ac uk
-------------------------------------------