[ISN] Hacking Hotmail made easy

From: InfoSec News (isnat_private)
Date: Tue Aug 21 2001 - 01:09:36 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - August 20th 2001"

    http://www.theregister.co.uk/content/4/21118.html
    
    Hacking Hotmail made easy
    By Thomas C Greene in Washington
    20/08/2001
    
    Some bright empiricist from Root-Core http://www.root-core.com has
    discovered that anyone can log into their Hotmail account and then
    call messages from any other Hotmail account by crafting a URL with
    the second account's username and a valid message number.
    
    Finding a valid message number is of course total guesswork, but they
    all follow a consistent format and always have the same number of
    digits (i.e., a time stamp), so with the help of a little brute-force
    progie one can try numerous combinations in the background rather than
    type them in.
    
    The basic URL for an attack looks like this:
    
    http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?
    _lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%2dbin%2fgetmsg&hm___qs
    =%26msg%3dMSGXXXXXXXXX%2e(X)X%26start%3d1%26len%3d99999999999%26login%
    3dUSERNAME%26domain%3dhotmail%2ecom
    
    where USERNAME is the account name, XXXXXXXXX is a nine-digit message
    number, and (X)X is a second number between zero and (I think)
    fifty-nine.
    
    (I've inserted spaces in the URL so the page here doesn't grow a mile
    wide, so be sure to remove them before you play with it.)
    
    Now, let's say you have a Hotmail account called
    r00tardedat_private Just log in, click on any message in your
    inbox, and then look at the URL. You'll see something like this:
    
    http://lw2fd.hotmail.msn.com/cgi-bin/getmsg?
    curmbox=F000000001&a=5691b2b44e104176111971aa0fbb1274&m
    sg=MSG998000947.3&start=197078&len=1060&msgread=1&mfs=182
    
    Copy the URL and log out. Now, log into another of your Hotmail
    accounts, and commence to play.
    
    The message number for the item you viewed in your r00tarded account
    is MSG998000947.3 and it needs to be inserted in the attack URL along
    with the username thus:
    
    http://pv2fd.pav2.hotmail.msn.com/cgi-bin/saferd?
    _lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e36%2e250%2fcgi%
    2dbin%2fgetmsg&hm___qs=%26msg%3dMSG998000947%
    2e3%26start%3d1%26len%3d99999999999%26login%
    3dr00tarded%26domain%3dhotmail%2ecom
    
    It's necessary that you be logged into another (any other) Hotmail
    account. Now copy in the attack URL, click 'go' and voila.
    
    You can only read messages; the button links on the page don't work;
    they'll bounce you back to the account you're working from. But it is
    a nifty trick, and it is proof of a major hole in Hotmail security.
    
    The hacking danger here is very much limited by the need to guess
    message numbers, which is slow going. And while there is a handy
    program for bruting the numbers it's quite slow, trying only about one
    message page per second in 'fast' mode.
    
    It has a GUI but remains a bit clunky, and also needs to be paused
    after it brings up the Hotmail login page so you can enter a valid
    username and password. After two unsuccessful attempts, I got it to
    work as advertised. It's more a proof-of-concept exercise than a
    cracking tool -- so enjoy it as such.
    
    And please, I beg you, don't contact me for tech support. I've nothing
    to do with it. It works; it does take a bit of tweaking; so just give
    it a whirl and be playful.
    
    
    [Additional links: http://rootcore.can-host.com/files/hobo04r2.zip ]
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 04:13:08 PDT