have you heard about it?

- HOTMAIL XSS and AV bypass exploit -


To show a practical exploit of the XSS on Hotmail webmail server, let's do something
dirty..., let's force the target user to do something that he would never had allowed:
downloading a virus (from Hotmail, of course):-)
I was thinking on some kind of mailbox access, but I needed ActiveX help, and some people
could think: "I do not allow ActiveX on my browser..." or "I run Mozilla...", etc.
So the challenge has been to show how only with javascript, an XSS theoretically non exploitable (no access to cookies), and some misconfiguration on Hotmail webmail can result in a serious security problem.

1) I know XSS is present (on file attachments) (good)
2) No access to cookies from the code injected (bad)
3) Is not a flaw in input filtering, any script code is allowed (good)
4) I don't know if there is any kind of IP based session tracking method (bad)
5) Redirecting the output of forced client requests from the XSS code is possible (good)
6) The code to succefully exploit redirection (ActiveX, extended XML,...) is browser dependant (bad)

So at least the only room I have to play is Javascript (exploiting XSS only with HTML
injection doesn't seem to be effective in this case...).

If we take a look at the URL from where attachments are opened, we can see the session identifier
and message identifier.With this info we can build a request to... the same message we have sent?
Yes, yes, yes. The same message (same identifier) can have many attachments...
We can make a request to the same message but different attachment...

Why this??? Imagine that we could bypass the antivirus software only with a litle modification
of the HTTP request... We could not do this in the same attachment we send our XSS code, because
this is directly opened by the browser of the target, but we could still force a crafted request from
our XSS code to open a different attachment (on the same message) and without calling the AV software. :-)

How to bypass the AV software...
This a sample URL to get an attachment from Hotmail.

"vscan=scan" ... ummm... Remove this, and the antivirus will not be called! Scared? Wait... :-)

Now lets send to the target user a mail with two attachments. The first one whit this code:

splitString = str2.split("&")

Notice that to make this code working on any enviroment, you will have to use ¨splits¨and not ¨slices¨. This is a proof of concept exploit. The only important thing is to extract user and message identifiers, no matter how you achieve this. If this code doesn´t work for you, try to change slice(X,Y).

The second attachment will be a virus testing file (for example EICAR).

Once the target opens the first attachment, the AV software will tell him that all it's OK, but
when he tries to download the file, it will be opened "online", the XSS code will be executed and:

-session ID and message ID will be retrieved
-a new window will be opened pointing to the second attachment, but without calling AV software

What can see the user?
He will see that he can download the file, without any AV warning, he will see that is downloading from
An experienced user can notice that something strange it's happening... but still is possible to trick him by
opening a similar page to the one showed when the AV software is called... As always, now, the only limit is the imagination of the attacker.


-XSS is present on Hotmail
-Hotmail Antivirus software can easily be bypassed exploiting this XSS
-Users of Hotmail are on high risk

A new generation of XSS is coming...

XSS screenshot

AV bypass: screenshot1 screenshot2 screenshot3 screenshot4

Hugo Vazquez Carames