Hotmail
[CSS Vulnerability (New Strain) FIXED!]
Advisory Release Date: Aug 15, 2001
Warning! This strain of
Cross Site Scripting vulnerability may effect many more
web applications beyond Microsoft Hotmail. CERT and
others have previously issued CSS advisories in the
past, however, this vulnerability is different from
those previously posted. Web Sites that already take
diligent steps to filter out unwanted HTML and JavaScript
should take careful notice as examples will show a new
way to circumvent HTML/JavaScript filters.
Microsoft Security Response Center
issued the following statement:
Microsoft received the report of this
vulnerability on August 10, 2001. By mid-day Aug 13,
the issue had been investigated and confirmed, and the
needed software changes had been made and deployed to
all Hotmail servers. Microsoft would like to thank Jeremiah
Grossman of WhiteHat Security (www.whitehatsec.com)
for bringing the issue to our attention and working
with us to protect Hotmail customers.
This document can be obtained from:
http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-08152001.txt
http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-08152001.html
Systems Affected
* Microsoft Hotmail
* All Web Application accepting user submitted HTML
content
* Netscape Web Browsers
Background & Overview
Many Web Applications
generate dynamic HTML web pages using user-submitted
data and other sources of "untrusted content."
Web Applications not meticulously filtering this untrusted
content before presenting the web page to the user may
allow for the manipulation of the web page and its content
interpretation by a web browser.
This issue becomes dangerous when
untrusted content is able to be inserted into a dynamic
HTML web page via a web application or other means,
causing the content to execute potentially malicious
code within a users browser with the exact same privileges
of the ligitimate web server.
Many Web Applications such as, Microsoft
Hotmail, already meticulously filter incoming untrusted
data before the content reaches their users. However,
given the loose interpretation of HTML/JavaScript/VBScript
etc. by various web browsers, obfuscated content may
elude the current filters and execute within the users
browser environment.
Vulnerability Description
This is a simple proof
of concept vulnerability that illustrates how the sending
of a crafted HTML email with the enclosed body will
auto-execute JavaScript when the email is read.
** NOTE:
Example will only execute JavaScript under Netscape
**
==============================================
sendmail -t <target>@hotmail.com
MIME-Version:
1.0
From: The Attacker <foos@bar.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Style JavaScript Execution Example
<HTML><BODY>
<STYLE TYPE="application/x-javascript">
alert('JavaScript
has been Executed');
</STYLE>
</BODY></HTML>
.
==============================================
The key to this vulnerability is the "application/x-javascript"
MIME-TYPE of the "TYPE" attribute. This causes
the following expression to be interpreted as JavaScript.
Similar JavaScript filter-bypass examples
have been disclosed which are similar:
<STYLE TYPE="text/javascript">
alert('JavaScript has been Executed');
</STYLE>
However, the different MIME-TYPE alterations
may allow this new vulnerability to bypass many currently
implemented JavaScript filters across many web
applications.
Impact
Given that in this instance,
malicious scripts are executed within the same scope
and possess the same security privileges as the legitimate
web site, the attacker can exercise full control over
the document the user received. This power includes
the entirety of the accessible Document Object Model
and the transporting of gathered information to an off
domain location for later retrieval.
Example Attacks:
Web Proxy Monitoring
Cookie Theft
Access Restricted Domains
Solution
As per White Hat Security's
disclosure policy of informing vendors of discovered
vulnerabilities, Microsoft Hotmail has fixed the reported
issue effective 1 PM PST Aug 14, 2001
** NOTE: Web Applications not allowing
any HTML to be submitted from untrusted sources should
be immune to this vulnerability **
Web Applications accepting "STYLE"
tags to be submitted within their web environment must
take special care as to the "TYPE" attribute.
<STYLE TYPE="application/x-javascript">
alert('JavaScript Executed');
</STYLE>
The "application/x-javascript"
MIME Type must be appropriately filtered to deny execution
of the javascript expression.
Example:
<STYLE TYPE="application/NOJS">
alert('JavaScript Executed');
</STYLE>
Will render content unexcecutable.
References
CERT® Advisory CA-2000-02
Malicious HTML Tags Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html
Understanding Malicious Content Mitigation
for Web Developers http://www.cert.org/tech_tips/malicious_code_mitigation.html
The Dangers of Allowing Users to Post
Images
(Cross-Site Request Forgeries)
http://www.securiteam.com/securitynews/5FP0C204KE.html
Authors
Jeremiah Grossman
Credits
Would like to thank Steve
Lipner and Scott from the Microsoft Security Response
Center and also Rick Eames from Hotmail Development
Team for their exceptional response and resolution time.
WhiteHat Security
Contact Information
Corporate Headquarters
3003 Bunker Hill Lane #106
Santa Clara, CA 95054
Tel (408) 492 1817
Fax (408) 904 7142
http://www.whitehatsec.com
info@whitehatsec.com
|
