Re: Hotmail security hole - injecting JavaScript using ![]()
daemon@ATHENA.MIT.EDU (Microsoft Product Security Respons)
Tue Jan 4 15:28:28 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_00A1_01BF561A.34051530"
Message-Id: <D1A11CCE78ADD111A35500805FD43F580438FDCB@RED-MSG-04>
Date: Mon, 3 Jan 2000 18:41:54 -0800
Reply-To: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
From: Microsoft Product Security Response Team <secure@MICROSOFT.COM>
X-To: "win2ksecadvice@LISTSERV.NTSECURITY.NET"
<win2ksecadvice@LISTSERV.NTSECURITY.NET>,
"NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM"
<NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
"bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_00A1_01BF561A.34051530
Content-Type: text/plain;
charset="koi8-r"
Content-Transfer-Encoding: 7bit
Hi All -
Wanted to let you know that we have developed a fix that eliminates this
vulnerability, and have deployed it to all Hotmail servers. We're very
sorry for any inconvenience this may have caused. Regards,
Secure@microsoft.com
-----Original Message-----
From: Georgi Guninski [mailto:joro@NAT.BG]
Sent: Monday, January 03, 2000 5:40 AM
To: win2ksecadvice@LISTSERV.NTSECURITY.NET
Subject: Hotmail security hole - injecting JavaScript using <IMG
LOWSRC="javascript:....">
Georgi Guninski security advisory #1, 2000
Hotmail security hole - injecting JavaScript using <IMG
LOWSRC="javascript:....">
Disclaimer:
The opinions expressed in this advisory and program are my own and not
of any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski is not liable for any damages caused by direct or indirect use
of the information or functionality provided by this program.
Georgi Guninski, bears NO responsibility for content or misuse of this
program or any derivatives thereof.
Description:
Hotmail allows executing JavaScript code in email messages using <IMG
LOWSRC="javascript:....">,
which may compromise user's Hotmail mailbox.
Details:
There is a major security flaw in Hotmail which allows injecting and
executing JavaScript code in an email message using the javascript
protocol.
This exploit works both on Internet Explorer 5.x (almost sure IE 4.x)
and Netscape Communicator 4.x.
Hotmail filters the "javascript:" protocol for security reasons.
But the following JavaScript is executed: <IMG
LOWSRC="javascript:alert('Javascript is executed')"> if the user has
enabled automatically loading of images (most users have).
Executing JavaScript when the user opens Hotmail email message allows
for example
displaying a fake login screen where the user enters his password which
is then stolen.
I don't want to make a scary demonstration, but it is also possible to
read user's
messages, to send messages from user's name and doing other mischief.
It is also possible to get the cookie from Hotmail, which is dangerous.
Hotmail deliberately escapes all JavaScript (it can escape) to prevent
such attacks, but obviously there are holes.
It is much easier to exploit this vulnerability if the user uses
Internet Explorer 5.x
Workaround: Disable JavaScript
The code that must be included in HTML email message is:
--------------------------------------------------------
<IMG LOWSRC="javascript:alert('Javascript is executed')">
--------------------------------------------------------
Regards,
Georgi Guninski
http://www.nat.bg/~joro
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
------=_NextPart_000_00A1_01BF561A.34051530
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIH9DCCA2Yw
ggLPoAMCAQICEA2LT+6q0hhb9HVqnSnhf/swDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4MDUxMjAwMDAwMFoXDTA4MDUxMjIzNTk1OVow
gcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3
b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkg
UmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1
YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALtaRIoEFrtV/QN6ii2UTxV4NrgNSrJvnFS/vOh3Kp258Gi7ldkxQXB6gUu5SBNWLccI
4YRCq8CikqtEXKpC8IIOAukv+8I7u77JJwpdtrA2QjO1blSIT4dKvxna+RXoD4e2HOPMxpqOf2ok
kuP84GW6p7F+78nbN2rISsgJBuSZAgMBAAGjgbQwgbEwEQYJYIZIAYb4QgEBBAQDAgEGMDUGA1Ud
HwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTEuMS4xLmNybDBHBgNVHSAE
QDA+MDwGC2CGSAGG+EUBBwEBMC0wKwYIKwYBBQUHAgEWH3d3dy52ZXJpc2lnbi5jb20vcmVwb3Np
dG9yeS9SUEEwDwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQECBQADgYEA
QnwO34x5TKy/COxNVS9QiaDFXk4uXpUym3mtZRELHEpSxNWoMSGO3hCbbAjFB+YDuefINHgJCfK8
BkL4WoyD0YreqiL12eMh0s9ljAYzsM0gsjPNCr0+4Z3BNalksKelJFvp8WjrE8R8N/SUZA2axb0z
F++DM6A+5ao+rthzH60wggSGMIID76ADAgECAhAFW6O2XDQrpbsyUnX/rOAiMA0GCSqGSIb3DQEB
BAUAMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg
TmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAu
IEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTIzMDAwMDAwMFoX
DTAwMTIyOTIzNTk1OVowggEqMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5
L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3Qg
VmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQgRnVsbCBT
ZXJ2aWNlMSswKQYDVQQDFCJNaWNyb3NvZnQgU2VjdXJpdHkgUmVzcG9uc2UgQ2VudGVyMSMwIQYJ
KoZIhvcNAQkBFhRzZWN1cmVAbWljcm9zb2Z0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAuafK0KY7jxRWX/ii7REot/dZP/KDsOsziDseqHVDBX7pX9HJUpryp/Lm3Hznkf+J9LkxobwZ
zDtMz/4OsSqA8BSM2P+QzWNlZme8CyMab38A4wU0gHcOd7etKyc7PD5gduhYGyevQWPq57Ed8YPh
1KJPgSL2Euhkx1M5sEHaJxECAwEAAaOCAQYwggECMAkGA1UdEwQCMAAwgawGA1UdIASBpDCBoTCB
ngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D
UFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2lnbidzIENQUyBp
bmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBsdGQuIChjKTk3IFZlcmlTaWduMBEGCWCGSAGG+EIB
AQQEAwIHgDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9jbGFzczEu
Y3JsMA0GCSqGSIb3DQEBBAUAA4GBADmfkDIvEguiQBuI/YXWT22bRzz7CdKPIO4NsjeiARnEJIrs
Urbh/kH2L9T+v6NeLp94JNQhBZjb49mvXndQIe624TPo3YbEuM3WbyHr1OwEM32OmRTX4un3kJbH
l4Lyg9JEiL4csPbFLuL77oGDeMLYmCURRwwlCpuC9vgrNqV7MYIDHDCCAxgCAQEwgeEwgcwxFzAV
BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYw
RAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBIEluY29ycC4gQnkgUmVmLixM
SUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAxIENBIEluZGl2aWR1YWwgU3Vi
c2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQCEAVbo7ZcNCuluzJSdf+s4CIwCQYFKw4DAhoF
AKCCAZAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAwMTA0MDI0
MTUzWjAjBgkqhkiG9w0BCQQxFgQUo2O88rGUe2Z2dQq/OG4UNtEY8CAwPAYJKoZIhvcNAQkPMS8w
LTAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTCB8gYJKwYBBAGC
NxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g
VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJ
bmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBD
QSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAFW6O2XDQrpbsy
UnX/rOAiMA0GCSqGSIb3DQEBAQUABIGAiQ0PifQ4zQ8ncFn78izdBPKMybl2hXjP8yjpmmq+XVR/
pgeSAdbXmqDQlcPc122flzbuwAcLOa4wo1fP8RGc3koH7inpWWHf0B0T7vodAkrvnlnBwti88ylJ
ulMu8mWPIzwxFUJnQ4k5JL9+BDwzCTENrN7jUwkHKoSaZYgIbV8AAAAAAAA=
------=_NextPart_000_00A1_01BF561A.34051530--
