Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Hotmail Cross Site Scripting Vulnerability (Malformed Tags)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Hotmail Cross Site Scripting Vulnerability (Malformed Tags)
Date: 20 Dec 2004 18:38:27 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Hotmail Cross Site Scripting Vulnerability (Malformed Tags)
------------------------------------------------------------------------


SUMMARY

Finjan has discovered a script injection vulnerability in Hotmail that 
allows a remote attacker to execute malicious scripts when the victim is 
reading his/her email, this is due to Hotmail's inability to process 
correctly malformed HTML tags and make the script embedded inside them 
useless.

DETAILS

Hotmail's mobile code filtering mechanism is based on an active content 
filter whose purpose is to block the injection of any active content into 
Hotmail messages. Hotmail's filter identifies any possibly malicious HTML 
tags, properties and elements, and then modifies them into a non-malicious 
code.

When receiving an email, Hotmail's filtering engine analyzes and filters 
the HTML event properties inside the email s HTML tags. Hotmail's filter 
identifies the dangerous event properties and renames them to x +event, 
thereby alters their original functionality.

For example:
< img onmouseover=alert()></img>
is renamed to:
< img xonmouseover=alert()></img>

While the filter analyzes the data, it does not inspect all content after 
the = and before the next property. This means that in the example above, 
the alert() code will not be inspected and filtered. This can be exploited 
by creating a malformed HTML tag which will fake a property and then 
execute an event property.

The malformed request must have the following syntax:
< [anytag] [anychar/word]=[anychar from ascii 1-8 or 14-31)] [event 
property]=[javascript]>

For example:
< img MCRC= onmouseover=alert()>

All the data after the =[special char][space] tag is considered by 
Hotmail's filter to be the data inside the fake tag, and it is therefore 
not inspected. Internet browsers however, execute this as a valid code.

ANY tag/object that supports HTML events can be used to remotely call a 
JavaScript file. The injected JavaScript code is responsible for:
 * Automatically launching malicious code
 * Stealing the victim s password by using a spoofed re-login window
 * Reading the victim s INBOX and contacts
 * Sending email messages without any user authorization

Proof Of Concept:
< img src= http://www.finjan.com/images/logo.gif MCRC= onmouseover=alert( 
Cross Site Scripting Javascript Injected! )>< img>

Vulnerability Status:
Vendor was notified on Sep 8th, 2004. The bug is now fixed.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:theinsider@012.net.il> Rafel 
Ivgi, The-Insider.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Hotmail Cross Site Scripting Vulnerability (Malformed Tags), SecuriTeam <=
Previous by Date:  [UNIX] SQL Injections in Ikonboard (st, keywords), SecuriTeam
Next by Date:  [NEWS] Hotmail Cross-Site Scripting Vulnerability (IE gte), SecuriTeam
Previous by Thread:  [UNIX] SQL Injections in Ikonboard (st, keywords), SecuriTeam
Next by Thread:  [NEWS] Hotmail Cross-Site Scripting Vulnerability (IE gte), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]