Sure: ####################[Title]#################### Hotmail Security Alert (Hack HM1.0)! 5/10/2000 By: Da Hawaiian HaXorS "Give back da aina!" ####################[Disclaimer]#################### In no event shall Da Hawaiian HaXorS be held liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other action, arising out of or in connection with the use or performance of this information. In Short, we take no responsibility for the information within this document. The information contained within is our sole opinion and not the responsibility or opinion of any party we are affiliated with. Whatever anyone does with this information is entirely of their own accord. Lastly, anyone currently employed by any county, state, or federal law enforcement agency is not allow to posses or read this material by command of the authors. This is for the security community, not for legislative muscle. So DELETE IT FOOL! end rant. ####################[Introduction]#################### This document for written to bring attention to security flaws within the Microsoft Hotmail email system. As we have seen dozens of times before, javascript poses a security danger to web applications, especially when not properly protected. Also, I must note that the recent security hole posting on http://www.peacefire.org/security/fakemailform/ IS NOT A HACK. Just tricking the user. ####################[Scope]#################### The scope of this problem will most likely affect any and all browsers that have javascript turned on by default. Now lets see here.... That covers all major operating systems. (Windows, MacOS, *nix) and covers both major browsers. (Internet Explorer 3,4,5 and Netscape 2, 3,4 and 5!?) So we can safely assume everyone who currently uses Hotmail is at risk regardless of their current software. Unless there are a few die-hards who use lynx to check thier hotmail account. ####################[Detailed Exploit]#################### The following line will execute a line of JavaScript Code. This browser feature has been well documented elsewhere. /* Example, not actual exploit */ MS Hotmail attempts to filter this type of attack by search and replace. However, interesting results are noticed when the string is broken up by a few multiple line breaks. /* Actual Exploit */ Seems that the line breaks makes it possible to bypass the filters, yet is still executed within the browser. For the script kiddy: (You must send the mail as HTML mail). MIME-Version: 1.0 From: Script Kiddy Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: The Script Kiddy Has You OWNED! >. /* J0l0S2h8fj8i0Ce2ahe027 */ ####################[Potential Disasters]#################### The limit to the disastrous consequences of this are limited only to the skill and creativity of intruder. So, lets give some examples shall we: 1) Hotmail Account take over. Yes, attacker can gain both username and password or whatever Hotmail uses to track the session. Not like it matters. 2) Use exploit in conjunction with a KNOWN browser exploits to access the system. Hmm. I wonder if JS can be used to exploit an IE security bug, writing a file to the system (Can you say "I LOVE YOU"?), and then execute that file. Seems possible. 3) Re-Direct the user to somewhere else they want. Wow, wouldn't spammers just love to be able to re-direct a massive amount of Hotmail users to some Pr0n site. HAH! Remember, limited only in creativity. ####################[Suggested Fix]#################### The silver bullet fix would be that Microsoft would take security and the privacy of its customers seriously with a proactive approach rather than deny and post a patch approach. However, given that is an unreasonable request, we suggest the following: Removethe ALL carriage returns from string before analyzing it. --end At Thu, 11 May 2000 01:02:13 -0700, Packet wrote: >Oh, I thought the second replaced the first. > >Can you resend the first? > >Thanks > IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.