GreyMagic Security Advisory GM#005-MCBy GreyMagic Software, Israel.
23 Mar 2004.
Topic: Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo.
Discovery date: 06 Mar 2004.Affected applications:
Hotmail web-based email service (when used with IE).
Yahoo web-based email service (when used with IE).
Note that many other web-based services may be vulnerable to this method of exploitation, as it is a completely new way to embed script.Introduction:
Both Hotmail and Yahoo make tremendous efforts to sanitize incoming emails from potentially unsafe HTML content. Flawed filtering of such unsafe content may result in severe consequences that would occur as soon as a user opens an email for reading, including:
- Theft of login and password.
- Content disclosure of any email in the mailbox.
- Automatically send emails from the mailbox.
- Exploitation of known vulnerabilities in the browser to access the user's file system and eventually take over the machine.
- Distribution of a web-based email worm.
- Disclosure of all contacts within the address book.
GreyMagic devised a method to inject such arbitrary (potentially malicious) content to a Yahoo or Hotmail email message. The method is not limited to Hotmail and Yahoo alone though, it may apply to other web-based services that attempt to filter HTML input.
The vulnerability makes use of an Internet Explorer technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages.
One of the features included in HTML+TIME is the ability to manipulate any attribute on an element via special control elements. For example, the <t:set> element exposes the attributes "attributeName" and "to", which make it possible to inject ANY HTML content to the document when "attributeName" is set to "innerHTML" and "to" is set to any HTML the attacker would like to execute, including script.Exploit:
For the HTML+TIME module to be activated, the document must fulfill two requirements. It must declare the designated namespace and it must bind the namespace to the HTML+TIME behavior implementation.
In order to fulfill the first requirement it is usually necessary to be able to access the <html> element, with the syntax <html xmlns:t="urn:schemas-microsoft-com:time">. However, Hotmail completely filters out that element, so another method of namespace declaration is needed. It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction, which may be used anywhere in the document and does not get filtered.
The second requirement usually involves the use of the CSS "behavior" property, with the syntax "behavior:url(#default#time)". However, Hotmail blocks all instances of "url(...)" in the incoming mail, so another way to bind the behavior must be used. It comes in the form of the <?import> element, which was added in Internet Explorer 5.5 and enables namespace to implementation binding.
So after evading all filters, the final code looks like this:
<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time" />
<?import namespace="t" implementation="#default#time2">
Optional text here...
<t:set attributeName="innerHTML" to="<script defer>alert()</script>A" />
We put together a proof of concept demonstration for this method of script execution.Solution:
GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.
All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date.Tested on:
The information in this security advisory and any of its demonstrations is provided "as is" without warranty of any kind.
Vulnerability details are provided strictly for educational and defensive purposes.
GreyMagic Software is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.Stay informed:
Subscribe to GreyMagic's early notification email service and be informed of new vulnerabilities and updates as soon as they appear on the site.
Press here to subscribe.
Your privacy is important to us, read our Privacy Statement.