SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Yahoo Mail Vendors:   Yahoo
Yahoo! Mail 'HTML+TIME' Tag Filtering Hole Permits Remote Users to Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009538
SecurityTracker URL:  http://securitytracker.com/id/1009538
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 20 2004
Original Entry Date:  Mar 23 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in Yahoo! Mail when used in conjunction with Microsoft Internet Explorer (IE). A remote user can conduct cross-site scripting attacks.

GreyMagic Software reported that a remote user can create HTML that invokes the Internet Explorer 'HTML+TIME' feature to manipulate attributes in the HTML, such as the '<t:set>' tag, to execute malicious scripting code. A remote user can send some specially crafted HTML that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Yahoo! Mail site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The HTML document must declare the namespace and specify the HTML+TIME feature for that namespace, the report said. In IE, the document can use the '<?xml:namespace>' tag to declare the namespace and the '<?import>' element to bind the HTML+TIME feature to the namespace.

Some demonstration exploit tags are provided:

<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time" />
<?import namespace="t" implementation="#default#time2">
Optional text here...
<div>
<t:set attributeName="innerHTML" to="&lt;script
defer&gt;alert()&lt;/script&gt;A" />
</div>

The vendor was reportedly notified without response.

The original advisory and a demonstration exploit proof-of-concept is available at:

http://www.greymagic.com/security/advisories/gm005-mc/

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Yahoo! Mail site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   Yahoo! has fixed the vulnerability.

[Editor's note: The date of the fix is not known.]

Vendor URL:  www.yahoo.com/ (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo (GM#005-MC)


GreyMagic Security Advisory GM#005-MC
=====================================

By GreyMagic Software, Israel.
23 Mar 2004.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm005-mc/.

Topic: Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo.

Discovery date: 06 Mar 2004.

Affected applications:
======================

* Hotmail web-based email service (when used with IE).
* Yahoo web-based email service (when used with IE).

Note that many other web-based services may be vulnerable to this method of
exploitation, as it is a completely new way to embed script. 


Introduction:
=============

Both Hotmail and Yahoo make tremendous efforts to sanitize incoming emails
from potentially unsafe HTML content. Flawed filtering of such unsafe
content may result in severe consequences that would occur as soon as a user
opens an email for reading, including: 

* Theft of login and password. 
* Content disclosure of any email in the mailbox. 
* Automatically send emails from the mailbox. 
* Exploitation of known vulnerabilities in the browser to access the user's
file system and eventually take over the machine. 
* Distribution of a web-based email worm. 
* Disclosure of all contacts within the address book. 


Discussion: 
===========

GreyMagic devised a method to inject such arbitrary (potentially malicious)
content to a Yahoo or Hotmail email message. The method is not limited to
Hotmail and Yahoo alone though, it may apply to other web-based services
that attempt to filter HTML input. 

The vulnerability makes use of an Internet Explorer technology called
HTML+TIME (based on SMIL), which is meant to add timing and media
synchronization support to HTML pages. 

One of the features included in HTML+TIME is the ability to manipulate any
attribute on an element via special control elements. For example, the
<t:set> element exposes the attributes "attributeName" and "to", which make
it possible to inject ANY HTML content to the document when "attributeName"
is set to "innerHTML" and "to" is set to any HTML the attacker would like to
execute, including script. 


Exploit: 
========

For the HTML+TIME module to be activated, the document must fulfill two
requirements. It must declare the designated namespace and it must bind the
namespace to the HTML+TIME behavior implementation. 

In order to fulfill the first requirement it is usually necessary to be able
to access the <html> element, with the syntax <html
xmlns:t="urn:schemas-microsoft-com:time">. However, Hotmail completely
filters out that element, so another method of namespace declaration is
needed. It so happens that Internet Explorer provides one other mechanism to
declare a namespace, via the non-standard <?xml:namespace> processing
instruction, which may be used anywhere in the document and does not get
filtered. 

The second requirement usually involves the use of the CSS "behavior"
property, with the syntax "behavior:url(#default#time)". However, Hotmail
blocks all instances of "url(...)" in the incoming mail, so another way to
bind the behavior must be used. It comes in the form of the <?import>
element, which was added in Internet Explorer 5.5 and enables namespace to
implementation binding. 

So after evading all filters, the final code looks like this: 

<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time" />
<?import namespace="t" implementation="#default#time2">
Optional text here...
<div>
<t:set attributeName="innerHTML" to="&lt;script
defer&gt;alert()&lt;/script&gt;A" />
</div>


Demonstration:
==============

We put together a proof of concept demonstration, which can be found at
http://www.greymagic.com/security/advisories/gm005-mc/.


Solution: 
=========

GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They
have quickly confirmed our findings and were able to produce a fix less than
two days later. As a result, Hotmail is no longer vulnerable to this method
of exploitation. 

All attempts to contact Yahoo unfortunately failed. Mail was sent to
security and secure at yahoo.com and at yahoo-inc.com, no replies were
received to date. 


Tested on: 
==========

Hotmail.
Yahoo.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright ) 2004 GreyMagic Software.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC