Microsoft MSN Hotmail - Password Reset Vulnerability

Document Title:
===============
Microsoft MSN Hotmail - Password Reset Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=529

Media Partners:
http://news.softpedia.com/news/Critical-0-Day-in-Hotmail-Exploited-in-Wild-Microsoft-Issues-Fix-266506.shtml
http://thehackernews.com/2012/04/0day-remote-password-reset.html

News:
http://www.heise.de/security/meldung/Hotmail-Hacking-fuer-20-US-Dollar-1560397.html
https://threatpost.com/hotmail-password-reset-bug-exploited-wild-042612/76490/
http://news.hitb.org/content/0day-remote-password-reset-vulnerability-msn-hotmail-patched
http://www.networkworld.com/article/2222257/microsoft-subnet/microsoft-patches-hotmail-after-0-day-remote-password-reset-exploited-in-the-wild.html
http://www.h-online.com/security/news/item/Hotmail-hacked-for-20-1561894.html
http://www.esecurityplanet.com/network-security/microsoft-patches-critical-security-flaw-in-hotmail.html
http://www.techweekeurope.co.uk/workspace/microsoft-fix-hotmail-password-reset-issue-75402
http://www.net-security.org/secworld.php?id=12818
http://www.ehackingnews.com/2012/04/zero-day-vulnerability-found-in-hotmail.html


Release Date:
=============
2012-04-25


Vulnerability Laboratory ID (VL-ID):
====================================
529


Common Vulnerability Scoring System:
====================================
9.6


Current Estimated Price:
========================
40.000€ - 50.000€


Product & Service Introduction:
===============================
Hotmail (also known as Microsoft Hotmail and Windows Live Hotmail), is a free web-based email service operated by 
Microsoft as part of Windows Live. One of the first web-based email services, it was founded by Sabeer Bhatia and 
Jack Smith and launched in July 1996 as HoTMaiL. It was acquired by Microsoft in 1997 for an estimated $400 
million, and shortly after it was rebranded as MSN Hotmail. The current version was released in 2007. Hotmail 
features unlimited storage, Ajax, and integration with Microsofts instant messaging (Windows Live Messenger), 
calendar (Hotmail Calendar), file hosting service (SkyDrive) and contacts platform. According to comScore (August 2010) 
Windows Live Hotmail is the world s largest web-based email service with 364 million members, followed by Gmail and 
Yahoo! Mail, respectively. It is available in 36 different languages. Hotmail is developed from Mountain View, 
California. When Hotmail Corporation was an independent company, its headquarters was in Sunnyvale. 

(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Hotmail )


Abstract Advisory Information:
==============================
The vulnerability laboratory team discovered a password reset vulnerability in the official Microsoft MSN, Live & Hotmail service web-application.


Vulnerability Disclosure Timeline:
==================================
2012-04-06: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2012-04-20: Vendor Notification (Microsoft Security Response Center)
2012-04-20: Vendor Response or Feedback (Microsoft Security Response Center)
2012-04-21: Vendor Fix or Patch (Microsoft Developer Team)
2012-04-26: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Microsoft Corporation
Product: MSN - Hotmail 2012 - Q1 & Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
A high severity password reset token vulnerability has been discovered in the official Microsoft MSN, Live and Hotmail service web-application.
The token session vulnerability allows remote attackers to bypass the basic session validation approval mechanism to compromise email accounts.

The critical web vulnerability is located in the password reset functionality of official Microsoft MSN Hotmail service web-application.
The web-application uses a token to protect the reset function against unauthorized access of criminal individuals. Remote attackers are 
able to bypass the password recovery service token approval to setup a new password. The vulnerability allows an attacker to reset any  
Hotmail, Live or MSN user account password with an email, to the attackers email values of choice.

The token protection only checks if a value is empty then blocks or closes the web session. Remote attackers are able to bypass the token 
protection with values like `*.+ or  -.*`.  Successful exploitation results in unauthorized Hotmail, Live or MSN user account access. 
Remote attackers are as well able to decode the CAPTCHA to send automated values via the Hotmail, Live or MSN reset page module for 
automated reset attacks against targeted and random user accounts.

The security risk of the vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 9.6. 
Exploitation of the critical reset module vulnerability requires no privileged web-application user accounts or user interaction. 
Successful exploitation of the session vulnerability results in a compromise of the targeted user account or compromise of the 
main accounts system (msn, live & hotmail).

Request Method(s):
[+] POST

Vulnerable Module(s): 
[+] Password Recovery Service - MSN
[+] New Pass - Hotmail

Affected Service(s):
[+] Account System (Hotmail, Live & MSN)


Proof of Concept (PoC):
=======================
The reset email session token vulnerability can be exploited by remote attacker without user interaction or user account. 
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Exploitation Technique(s):
[+] Bypass the recovery mod page to new pass or reset
[+] Bypass token protection via not empty value or positiv value(s)
[+] Setup new password for any account via email address
[+] Decode captcha & send automatique values


Manual steps to reproduce the vulnerability ...
1. Go to msn live login website
2. Click next to the login the password reset function
3. Start for example Tamper Data to intercept and to have influence on the http live request
4. When you try to reset your password & tamper the token will be send 
Note: At this point the validation and protection mechanism only checks if the parameter its empty
5. Implement your own value to bypass the function with token like => *.+ or  -.*
6. Now the attacker replaces in the next loaded POST method request the email and account values with an own mail & account
7. In the next step the attacker moves to the inbox were the reset change has been performed to compromise the account
8. Login to the targeted msn/hotmail/live account with your own new values

Note: The exploitation requires a session tamper for post http and a web browser


Solution - Fix & Patch:
=======================
2012-04-21: Vendor Fix or Patch (Microsoft Developer Team)

URL: http://mobile.twitter.com/msftsecresponse/status/195568235654021121


Security Risk:
==============
The security risk of the remote password reset web vulnerability in the msn, hotmail and live web-application is estimated as critical. (CVSS 9.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    [email protected] 	- [email protected] 				- [email protected]
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.

				    Copyright © 2012 | Vulnerability Laboratory - [Evolution Security GmbH]™