Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]VULNERABLE:529
Document Title:
===============
Microsoft MSN Hotmail - Password Reset Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=529
Media Partners:
http://news.softpedia.com/news/Critical-0-Day-in-Hotmail-Exploited-in-Wild-Microsoft-Issues-Fix-266506.shtml
http://thehackernews.com/2012/04/0day-remote-password-reset.html
News:
http://www.heise.de/security/meldung/Hotmail-Hacking-fuer-20-US-Dollar-1560397.html
https://threatpost.com/hotmail-password-reset-bug-exploited-wild-042612/76490/
http://news.hitb.org/content/0day-remote-password-reset-vulnerability-msn-hotmail-patched
http://www.networkworld.com/article/2222257/microsoft-subnet/microsoft-patches-hotmail-after-0-day-remote-password-reset-exploited-in-the-wild.html
http://www.h-online.com/security/news/item/Hotmail-hacked-for-20-1561894.html
http://www.esecurityplanet.com/network-security/microsoft-patches-critical-security-flaw-in-hotmail.html
http://www.techweekeurope.co.uk/workspace/microsoft-fix-hotmail-password-reset-issue-75402
http://www.net-security.org/secworld.php?id=12818
http://www.ehackingnews.com/2012/04/zero-day-vulnerability-found-in-hotmail.html
Release Date:
=============
2012-04-25
Vulnerability Laboratory ID (VL-ID):
====================================
529
Common Vulnerability Scoring System:
====================================
9.6
Current Estimated Price:
========================
40.000€ - 50.000€
Product & Service Introduction:
===============================
Hotmail (also known as Microsoft Hotmail and Windows Live Hotmail), is a free web-based email service operated by
Microsoft as part of Windows Live. One of the first web-based email services, it was founded by Sabeer Bhatia and
Jack Smith and launched in July 1996 as HoTMaiL. It was acquired by Microsoft in 1997 for an estimated $400
million, and shortly after it was rebranded as MSN Hotmail. The current version was released in 2007. Hotmail
features unlimited storage, Ajax, and integration with Microsofts instant messaging (Windows Live Messenger),
calendar (Hotmail Calendar), file hosting service (SkyDrive) and contacts platform. According to comScore (August 2010)
Windows Live Hotmail is the world s largest web-based email service with 364 million members, followed by Gmail and
Yahoo! Mail, respectively. It is available in 36 different languages. Hotmail is developed from Mountain View,
California. When Hotmail Corporation was an independent company, its headquarters was in Sunnyvale.
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Hotmail )
Abstract Advisory Information:
==============================
The vulnerability laboratory team discovered a password reset vulnerability in the official Microsoft MSN, Live & Hotmail service web-application.
Vulnerability Disclosure Timeline:
==================================
2012-04-06: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-04-20: Vendor Notification (Microsoft Security Response Center)
2012-04-20: Vendor Response or Feedback (Microsoft Security Response Center)
2012-04-21: Vendor Fix or Patch (Microsoft Developer Team)
2012-04-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Microsoft Corporation
Product: MSN - Hotmail 2012 - Q1 & Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A high severity password reset token vulnerability has been discovered in the official Microsoft MSN, Live and Hotmail service web-application.
The token session vulnerability allows remote attackers to bypass the basic session validation approval mechanism to compromise email accounts.
The critical web vulnerability is located in the password reset functionality of official Microsoft MSN Hotmail service web-application.
The web-application uses a token to protect the reset function against unauthorized access of criminal individuals. Remote attackers are
able to bypass the password recovery service token approval to setup a new password. The vulnerability allows an attacker to reset any
Hotmail, Live or MSN user account password with an email, to the attackers email values of choice.
The token protection only checks if a value is empty then blocks or closes the web session. Remote attackers are able to bypass the token
protection with values like `*.+ or -.*`. Successful exploitation results in unauthorized Hotmail, Live or MSN user account access.
Remote attackers are as well able to decode the CAPTCHA to send automated values via the Hotmail, Live or MSN reset page module for
automated reset attacks against targeted and random user accounts.
The security risk of the vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.6.
Exploitation of the critical reset module vulnerability requires no privileged web-application user accounts or user interaction.
Successful exploitation of the session vulnerability results in a compromise of the targeted user account or compromise of the
main accounts system (msn, live & hotmail).
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Password Recovery Service - MSN
[+] New Pass - Hotmail
Affected Service(s):
[+] Account System (Hotmail, Live & MSN)
Proof of Concept (PoC):
=======================
The reset email session token vulnerability can be exploited by remote attacker without user interaction or user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Exploitation Technique(s):
[+] Bypass the recovery mod page to new pass or reset
[+] Bypass token protection via not empty value or positiv value(s)
[+] Setup new password for any account via email address
[+] Decode captcha & send automatique values
Manual steps to reproduce the vulnerability ...
1. Go to msn live login website
2. Click next to the login the password reset function
3. Start for example Tamper Data to intercept and to have influence on the http live request
4. When you try to reset your password & tamper the token will be send
Note: At this point the validation and protection mechanism only checks if the parameter its empty
5. Implement your own value to bypass the function with token like => *.+ or -.*
6. Now the attacker replaces in the next loaded POST method request the email and account values with an own mail & account
7. In the next step the attacker moves to the inbox were the reset change has been performed to compromise the account
8. Login to the targeted msn/hotmail/live account with your own new values
Note: The exploitation requires a session tamper for post http and a web browser
Solution - Fix & Patch:
=======================
2012-04-21: Vendor Fix or Patch (Microsoft Developer Team)
URL: http://mobile.twitter.com/msftsecresponse/status/195568235654021121
Security Risk:
==============
The security risk of the remote password reset web vulnerability in the msn, hotmail and live web-application is estimated as critical. (CVSS 9.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.
Copyright © 2012 | Vulnerability Laboratory - [Evolution Security GmbH]™