// back

Microsoft Hotmail Cross-Site Scripting (XSS) Flaws

12.20.02

BACKGROUND

Hotmail is the world's largest provider of free, Web-based e-mail. It is based on the premise that e-mail access should be easy and possible from any computer connected to the World Wide Web. Hotmail eliminates the disparities among e-mail programs by adhering to the universal Hypertext Transfer Protocol (HTTP) standard. More information is available at http://www.hotmail.com

DESCRIPTION

The susceptibility of Microsoft Corp.'s MSN Hotmail to two cross-site scripting (XSS) attacks could allow attackers to infiltrate a targeted Hotmail user's e-mail account. Both attacks stem from incorrect or incomplete HTML filtering by Hotmail.

Issue One: Session Hijacking

While Hotmail does filter a number of HTML tags, it fails to filter the <textarea> tag. As such, an attacker could trick the Hotmail parser into treating a </textarea> tag as part of the literal value of a <td> background variable. Since the <textarea> tag does not rely on quotes and ends when it reaches a closing </textarea> tag, the attacker could insert
a JavaScript routine that would not be filtered.

The inserted routine could not contain any quotes, as Hotmail filters out such characters. This, however, could be overcome by using the String.fromCharCode() method, which converts an ASCII value to a string.

Issue Two: Arbitrary Action Execution

Hotmail does filter a number of variables, but it fails to filter the <td> background variable. Knowing this, an attacker could dupe a targeted user into opening an HTML-enabled e-mail to generate a GET request on a Hotmail server to execute an action. For example, Hotmail has filters in place that replace the following HTML:

<td width=1 height=1 bgcolor="
background='http://hotmail.msn.com/cgi-bin/dofolders?
m=&i=&FID_=&from=inbox&newfoldername=HACKED'></td>

The HTML above is replaced with the following:

<td width=1 height=1 bgcolor=~
background='http://64.4.14.24/spacer.gif'></td>

However, Hotmail does not properly filter URLs that are composed with backslashes. So the following HTML would filter incorrectly:

<td width=1 height=1 bgcolor="
background='http://hotmail.msn.comcgi-bindofolders?
m=&i=&FID_=&from=inbox&newfoldername=HACKED'>/td>

The HTML above becomes:

<TD width=1 height=1 bgcolor=~
background='http://hotmail.msn.comcgi-bindofolders?
m=&i=&FID_=&from=inbox&newfoldername=HACKED'></td>

When the page loads, the code would generate a GET request to the specified URL. The URL is in the Hotmail domain, thus the user's cookie would transmit with the request. The Hotmail server would process the request and create a folder named HACKED.

ANALYSIS

Unlike most XSS attacks, which require a user to click on a tainted link, exploitation in this case only requires a Hotmail user to view a malicious e-mail. Sending the e-mail from a forged e-mail address affords a greater chance for successful exploitation. Once an attacker compromises one Hotmail user's account, the attacker could then use that account to compromise other e-mail accounts.

It is quite feasible for an automated worm to be written in such a way that it spreads through the enumeration of user address books. Such a worm would quickly propagate as future attack e-mails would arrive from known and trusted e-mail addresses.

Once a user's Hotmail cookie has been stolen, an attacker has the ability to gain full control over the user's account until the user logs out or the session times out. (Hotmail's default setting is to never timeout). During that time, an attacker could read, remove, and store all e-mails, as well as send e-mails from the compromised account.

The ability to execute arbitrary Hotmail actions allows an attacker to set any option that the targeted user could normally set under the Options  menu. This includes redirecting all e-mail to the deleted folder and  modifying the user's name or e-mail signature.

For further information on this class of attacks, refer to "The Evolution of Cross-Site Scripting Attacks," an iDEFENSE White Paper available at http://www.idefense.com/papers.html .

DETECTION

All Hotmail users were vulnerable to the above-descibred attacks before Microsoft resolved the issues.

VENDOR RESPONSE

Microsoft fixed this issue in hotmail on 11/04/2002.

DISCLOSURE TIMELINE

10/08/2002 Issue disclosed to iDEFENSE
10/31/2002 Issue disclosed to Microsoft (secure@microsoft.com)
10/31/2002 Response received from secure@microsoft.com (Terri Forslof)
11/01/2002 iDEFENSE Clients notified
11/05/2002 Response received from secure@microsoft.com indicating issue was resolved at 3:00pm PST 11/04/2002
12/20/2002 Public Disclosure

CREDIT

David Zentner (David@cgishield.com) discovered this vulnerability.