Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MSN Messenger Hijacking

From: Tom Gilder <tom () tom me uk>
Date: Sat, 9 Feb 2002 20:34:51 +0000
MSN MESSENGER HIJACKING

Security bulletin by Tom Gilder and Thor Larholm
Published February 9th 2002
http://tom.me.uk/msn/


There has recently been reported some privacy problems (see
http://www.securityfocus.com/bid/4028) in MSN
Messenger. However, these problems pale in comparison to what can be
done if you use MSN Messenger through unpatched IE vulnerabilities.
Using these, a malicious programmer can easily hijack the MSN
Messenger client from a user, allowing him/her (among others) to
silently and automatically read their contact list (harvesting email
addresses) and impersonate the user by sending arbitrary messages,
email or local files to anyone.

The victim would be unaware of any such action, and the malicious
programmer would in practice be impersonating himself as the victim
towards the MSN Messenger client, allowing him/her to do anything with
MSN Messenger that the victim would normally be able to.

For an example on how this can be exploited, visit the hijacking
demonstration page at http://tom.me.uk/msn/demo.html.

To summarize, this is not made possible by a bug in the MSN Messenger
client. This vulnerability is made possible by the "document.open" bug
discovered by "The Pull" (http://www.osioniusx.com/), which has been
left unpatched for nearly two months now - see the SecurityFocus page at
http://www.securityfocus.com/bid/3721 for more information.

However, this would never have been an issue if the MSN Messenger
client had incorporated some other kind of authentication than DNS
information.

This example has been made public to put pressure on MS to patch their
vulnerabilities, that they are fully aware of.

Many more unpatched vulnerabilities currently exist in IE - for a full
list see http://jscript.dk/unpatched/.

This exploit has so far been confirmed to work on:

* Windows 98 SE with IE6 final (fully patched as of Feb 9) and
  MSN Messenger 4.6.0073
* Windows 98 SE with IE6 final and MSN Messenger 3.6.0024
* Windows ME with IE6 final (fully patched as of Feb 9) and MSN
  Messenger 4.5.0127
* Windows 2000 with IE6 final (fully patched as of Feb 9) and MSN
  Messenger 4.6.0071
* Windows 2000, IE5.5, MSN Messenger 4.6.00.73

It is so far believed to be working in any version of the MSN
Messenger client on any OS, though this remains unconfirmed due to a
lack of varied test configurations.

HANDY LINKS:

List of unpatched IE6 vulnerabilities - http://jscript.dk/unpatched/
MSN Messenger - http://messenger.msn.com/
Hijacking demonstration page - http://tom.me.uk/msn/demo.html
Microsoft Internet Explorer - http://www.microsoft.com/windows/ie/default.asp
SecurityFocus - http://www.securityfocus.com/
The Pull - http://www.osioniusx.com/
Microsoft Recalls Botched Browser Security Patch - http://www.newsbytes.com/news/02/174365.html
Microsoft works to fix MSN privacy flaw - http://news.com.com/2100-1001-833154.html
document.open bug on SecurityFocus - http://www.securityfocus.com/bid/3721
MSN Messenger privacy problems on SecurityFocus - http://www.securityfocus.com/bid/4028

-- 
Tom Gilder
tom () tom me uk
Previous By Date Next
Previous By Thread Next

Current thread: