<<< Date Index >>>     <<< Thread Index >>>

Hotmail Cross-Site Scripting Vulnerability #2



Finjan Security Advisory
=================
Hotmail Cross Site Scripting Vulnerability #2


Introduction
------------
Finjan has discovered a script injection vulnerability in Hotmail
that allows a remote attacker to execute malicious scripts when
the victim is reading his/her email.


Technical Description
---------------------
Hotmail’s mobile code filtering mechanism is based on an active
content filter whose purpose is to block the injection of any
active content into Hotmail messages. Hotmail’s filter identifies
any possibly malicious HTML tags, properties and elements, and
then modifies them into a non-malicious code.

When receiving an email, Hotmail’s filtering engine analyzes
and filters the HTML event properties inside the email’s HTML
tags. Hotmail’s filter identifies the “dangerous” event properties
and renames them to “x”+event, thereby alters their original
functionality.

For example:
<img onmouseover=alert()></img>
is renamed to:
<img xonmouseover=alert()></img>

While the filter analyzes the data, it does not inspect all content
after the “=” and before the next property. This means that in
the example above, the “alert()” code will not be inspected and
filtered.  This can be exploited by creating a malformed HTML
tag which will ‘fake’ a property and then execute an event property.

The malformed request must have the following syntax:
<[anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)]
 [event property]=[javascript]>

For example:
------------
<img MCRC=  onmouseover=alert()>

All the data after the “=[special char][space]” tag is considered
by Hotmail’s filter to be the data inside the fake tag, and it
is therefore not inspected. Internet browsers however, execute
this as a valid code.

ANY tag/object that supports HTML events can be used to remotely
call a JavaScript file. The injected JavaScript code is responsible for:

• Automatically launching malicious code
• Stealing the victim’s password by using a spoofed re-login window
• Reading the victim’s inbox and contacts
• Sending email messages without any user authorization


The Code (Proof Of Concept)
----------------------cut here-----------------------
<img src=”http://www.finjan.com/images/logo.gif”; MCRC=
onmouseover=alert(‘Cross Site Scripting – Javascript Injected!’)><img>
----------------------cut here-----------------------


Vulnerability Status
--------------------
Vendor was notified on Sep 8th, 2004.
The bug is now fixed.


Credit
------
Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.