[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Microsoft MSN Hotmail - Password Reset & Setup Vulnerability
From: Research <research () vulnerability-lab ! com>
Date: 2012-04-26 12:21:13
Message-ID: 4F993DB9.9000602 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Microsoft MSN Hotmail - Password Reset & Setup Vulnerability
Date:
=====
2012-04-26
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=529
http://news.softpedia.com/news/Critical-0-Day-in-Hotmail-Exploited-in-Wild-Microsoft-Issues-Fix-266506.shtml
http://news.hitb.org/content/0day-remote-password-reset-vulnerability-msn-hotmail-patched
VL-ID:
=====
529
Introduction:
=============
Hotmail (also known as Microsoft Hotmail and Windows Live Hotmail), is a free web-based email \
service operated by Microsoft as part of Windows Live. One of the first web-based email \
services, it was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as HoTMaiL. \
It was acquired by Microsoft in 1997 for an estimated $400 million, and shortly after it was \
rebranded as MSN Hotmail. The current version was released in 2007. Hotmail features unlimited \
storage, Ajax, and integration with Microsofts instant messaging (Windows Live Messenger), \
calendar (Hotmail Calendar), file hosting service (SkyDrive) and contacts platform. According \
to comScore (August 2010) Windows Live Hotmail is the world s largest web-based email service \
with 364 million members, followed by Gmail and Yahoo! Mail, respectively. It is available in \
36 different languages. Hotmail is developed from Mountain View, California. When Hotmail \
Corporation was an independent company, its headquarters was in Sunnyvale.
(Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Hotmail )
Abstract:
=========
Vulnerability-Lab Team discovered a Password Reset Vulnerability on Microsofts official MSN \
Hotmail service.
Report-Timeline:
================
2012-04-06: Researcher Notification & Coordination
2012-04-20: Vendor Notification
2012-04-20: Vendor Response/Feedback
2012-04-20: Vendor Fix/Patch [#HOTFIX]
2012-04-26: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
Microsoft Corporation
Product: MSN - Hotmail v2012 - Q1 & Q2
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A high severity password reset vulnerability is detected in Microsofts official MSN Hotmail \
service. A Vulnerability Laboratory senior researcher, Benjamin Kunz Mejri, identified a \
critical security vulnerability in Microsoft's official MSN Hotmail (Live) service. A critical \
vulnerability was found in the password reset functionality of Microsoft's official MSN \
Hotmail service. The vulnerability allows an attacker to reset the Hotmail/MSN password with \
attacker chosen values. Remote attackers can bypass the password recovery service to setup a \
new password and bypass in place protections (token based). The token protection only checks \
if a value is empty then blocks or closes the web session. A remote attacker can, for example \
bypass the token protection with values "+++)-". Successful exploitation results in \
unauthorized MSN or Hotmail account access. An attacker can decode CAPTCHA & send automated \
values over the MSN Hotmail module.
Vulnerable Module(s):
[+] Password Recovery Service & New Pass
Proof of Concept:
=================
The vulnerability can be exploited by remote attacker without required user inter action. For \
demonstration or reproduce ...
Note: To exploit the vulnerability only a browser and a url (GET|POST) tamper is required.
Exploitation Techique(s):
[+] Bypass the Recovery Mod Page to New Pass or Reset
[+] Bypass token protection via not empty value or positiv value(s)
[+] Setup new password
[+] Decode captcha & send automatique values
Solution:
=========
2012-04-20: Vendor Fix/Patch [#HOTFIX] - Coordination MSRC Team
Risk:
=====
The security risk of the remote password reset vulnerability is estimated as critical.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (Rem0ve)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012 Vulnerability-Lab
--
VULNERABILITY RESEARCH LABORATORY TEAM
Website: www.vulnerability-lab.com
Mail: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic