Forgot your password?
typodupeerror
Microsoft

Hotmail Cracked Badly 441

Posted by CmdrTaco
from the protect-your-asses dept.
Allright this has been submitted a lot so I'm going to throw it up. Hotmail has been cracked. Badly. Basically there is a web page with a form (no I'm not going to link it here, but I've seen it) that allows you to login as anyone and read/write/delete their email. Be afraid. And if you've got a message to yourself with like your VISA number in it, I'd think twice about it ;)
This discussion has been archived. No new comments can be posted.

Hotmail Cracked Badly

Comments Filter:
  • by Anonymous Coward
    Your e-mail is private and secure (yeah right! hehehe)

    When you sign up for Hotmail, you choose your personal ID and password. The only way you can access your account is by using the password you select. This means that only you will have access to your Hotmail account, even if you use a computer at a public terminal or a friend's house. (unless you use our convenient form based access if you "forget" your password... hehe)

    Because the messages in your Hotmail account are stored securely at a central location, you don't have to worry about losing important information if something happens to your computer. (until someone breaks in... heheh)

    Hotmail is strongly committed to keeping your personal information confidential. For more information on our Privacy Policy, click here. (the info goes straight to billg's desk. he reads it all! he knows who you are... heheh)

    Sign Up Now!

    excerpt from: http://lc3.law5.hotmail.passport.com/cgi-bin/dasp/ hminfo_shell.asp?_lang=&beta=&content=wh ysign&us=ws

    /. k.d. /. earthtrickle - Monkeys vs. Robots Films
  • by Anonymous Coward
    It is actually incredibly difficult to send spam from hotmail. It is not a task that is easily automated because you have to go through their web interface for each and every message. Sure you could probably script it with perl, but that is far beyond the skills of 99.999% of the spammers out there.

    Instead, when people say that the only thing they get from Hotmail is spam, they probably mean somebody forging mail with headers to look like it is from hotmail. Which is kind of what you said, but unless you read procmail filters it wasn't so obvious.

    In your case, the procmail rule won't stop someone who is forging the X-Originating-IP line either, but it is probably good enough for most spammers.
  • by Anonymous Coward
    "Security through obscurity" implies that obscurity is the security mechanism. That's different from non-peer-review.

    If the mechanism for a passwording scheme is a switch statement with all the passwords inline (obfuscated somehow, obviously, so one can't just run 'strings' on the binary to extract the words) then it is "security through obscurity" to keep the source hidden.

    Not submitting your soucre code for peer review isn't the same thing by any stretch of the imagination. It's just one precaution among many that can be taken to preserve a system's security.

    Of course, devotees of the warped notion of "peer review" being bandied about in the Open Source(tm) community won't agree, but Peer review used to refer to a review by one's peers, in the sense of a credentialed body of experts. Not "throw it out onto the street and see what happens to it."
  • by Anonymous Coward
    Well this seems to be down. Try http://lagparty.org/hotmail/ instead.
  • http://207.82.250.99/cgi-bin/start?curmbox=ACTIVE& js=no&login=&passwd=eh

    University of Karlsruhe represent!
  • by Anonymous Coward on Monday August 30, 1999 @04:05AM (#1717377)
    Using interMute and turning on URL logging it wasn't hard to see what their script does. All it does is redirect you to the following URL:

    http://207.82.250.251/cgi-bin/start?curmbox=ACTI VE&js=no&login=ENTERLOGINHERE&passw d=eh

    replace ENTERLOGINHERE with the account you are cracking.

    This seems like a clear-cut backdoor type crack, hotmail is stupid enough to think that if you come in with the right URL, you must have got it through being authenticated at MSN passport. How unbelievably stupid.
  • by Anonymous Coward on Monday August 30, 1999 @03:51AM (#1717378)

    1) We're not told in this story where *exactly* the security hole is (in which part of the system)

    2)According to Netcraft: "www.hotmail.com is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD"

    So, don't start going on about how NT sucks like a bunch of sharks smelling blood. It's unbecoming.

    Don't look at this as an "MS fscked-up" story (and I question the filing of this one under "Microsoft") look at the story as a genuine "news for nerds" -- e.g. high-profile incidents like these can have an effect on developments in web-related industries.

  • by Gleef (86)
    Why should I prove somthing I never said? I said that MS marketing people have often mentioned they'd like to increase NT's presence at Hotmail, not that there are plans for wholesale conversion.

    In addition, it looks like they have increased NT's presence at Hotmail. They added Microsoft Passport [passport.com] to Hotmail, and I am pretty sure that the Passport servers are running NT. So at Hotmail you now have the Solaris/Apache boxes listening to NT machines running brand new software for account authentication. This might be where the exploit lies (or it might not).

    ----
  • $ nslookup
    > 207.82.250.251
    Name: wya-pop.hotmail.com
    Address: 207.82.250.251

    > set querytype=any
    > wya-pop.hotmail.com
    wya-pop.hotmail.com preference = 20, mail exchanger = mail.hotmail.com
    wya-pop.hotmail.com internet address = 207.82.250.251
    hotmail.com nameserver = ns1.hotmail.com
    hotmail.com nameserver = ns3.hotmail.com
    hotmail.com nameserver = ns1.jsnet.com
    mail.hotmail.com internet address = 216.33.151.135
    ns1.hotmail.com internet address = 207.82.250.83
    ns3.hotmail.com internet address = 209.185.130.68
    ns1.jsnet.com internet address = 209.1.113.3


    ----
  • by Gleef (86) on Monday August 30, 1999 @03:42AM (#1717381) Homepage
    Hotmail was originally running on Sun boxes running Solaris. When Microsoft bought it, they ported the software over to NT boxes, and tried running it that way. It crashed and burned so badly, they quickly went back to the Solaris boxes, but their marketing people keep saying that they will be increasing the presence of NT at Hotmail. I don't know if it's still Solaris or if they switched back to NT again.

    Regardless, you could crack the most "secure" OS, if it's administered badly. The OS's security features only limit what the best security you can obtain is. If you put a backdoor in your system (usually inadvertently), the best OS in the world won't save you. I would assume that whatever they're running, they screwed up.

    ----
  • you can login as a user and get a list of their mail, but you can no longer view it. ...shucks.
    ----------------- ------------ ---- --- - - - -
  • Here's CNN's take [cnn.com] on this.

    Alex Bischoff
    ---

  • by KaHa (368)
    Sure it's possible. LynxSSL.
  • by drwiii (434) on Monday August 30, 1999 @04:28AM (#1717385)
    Here's my mirror of the exploit [slashnet.org]

    Sorry, Billy. Really.

  • Its nice to know that the login form is hosted by a *NIX, but what about the machines hotmail users really use to read their email? Right now I'm reading email on hotmail, and the actual web server it is using is lw4fd.law4.hotail.msn.com and its IP isn't one of the ones that www.hotmail.com points to. Has anyone checked the OS/webserver/etc for these other machines?
  • Actually I like POP too, is there an implementation of it out there that uses encrypted passwords?
  • What are the implications of this regarding the
    Microsoft Passport programme? From hotmail.com:

    Microsoft® Passport is a single, secure way for you to sign in to multiple Internet sites using one member name and password. And now, as an MSNTM HotmailTM member, you can use your Hotmail member name and password as your Passport!

    That means you can use your Hotmail member name and password to sign in to Hotmail as well as many other Passport sites-without having to retype any information. This summer, many of the MSN sites will begin accepting your Passport, as will other major Internet sites later on this year.

    Here's how it works: If you sign in to Hotmail or any other MSN site, you are automatically signed in to all MSN sites that use Passport. As you move from site to site, you'll instantly be recognized, and you'll have access to the best features the sites have to offer. Once other Internet sites begin using Passport, you'll also be able to sign in to those sites with just one click-without having to re-enter any information. No multiple sign ins, no hassles!

    Is there a way to transfer your forged hotmail identity to use other services under the passport programme as well?

  • Dog bitecha!

  • Others have mused about the possibility of the Hotmail lawyers coming after people who exercised this security feature. Well, CNN says they did this so I guess they are in the soup too.

    Now a buddy of mine says, "Watch M$ turn this around and say they've fixed the problem by switching to NT!"

    Arrrrrgggghhh
  • I'll throw this one out.

    What are the chances that MS "allowed" this hole to exsist so they could spread FUD about *NIX.

    "This just shows the world that a free OS built by a bunch of hackers in thier bedrooms can't compete with an Industry Supported OS like Windows 2000."

    How long till something like that comes out of Redmond?
  • Bullshit. Microsoft screwed Hotmail up badly. Compare Hotmail as it was *BEFORE* Microsoft got it's hands on it as opposed to the way it is now. The old Hotmail didn't care what browser you used to acess it. Now thanks to MS, you can't use older browsers or Lynx with it (well you can use lynx but you have to modify it)
  • Is not giving us the URL in the posting not an example of using security through obscurity?

    --

  • Before you go on the "Linux FUD" defensive, why not read all of the posts and learn a few things:

    1. It's not hotmail per se that was cracked, it was Passport.

    2. Passport runs on IIS.

    3. ANY OS can be insecure if administered by a fool. In this case, it wasn't the OS, it was the web application.

    "The number of suckers born each minute doubles every 18 months."
  • FUCK that!

    "The number of suckers born each minute doubles every 18 months."
  • It seems probable. And, for all the speed of Slashdot, it's improbable that the hole was posted here first.

    And, even if the admins of Hotmail don't read Slashdot or other tech news sites, the massive surge in activity, PLUS the massive surge in accesses of mailboxes should have rung alarm bells from Hotmail to Antarctica and back.

    If THAT weren't enough, the admins must be aware of a huge increase in the number of people accessing via a single machine, and via a single method.

    If that STILL weren't enough, they must have been notified by now that something's going on.

    Finally, if complaints, surging activity from a single computer, news everywhere of the hole, and a massive increase in the use of Passport, were not enough to pull the plug, I'm sure journalists read Slashdot and some may have phoned Hotmail for a comment. System cracking is still news, even these days.

    Yet, despite all of this, Hotmail still has that security hole wide open. *SIGH* That is astonishing.

  • by jd (1658) <{moc.oohay} {ta} {kapimi}> on Monday August 30, 1999 @04:41AM (#1717397) Homepage Journal
    There's a post on the MSNBC's tech board, referring to the Slashdot article. MSNBC's tech staff read the board, and I'm sure they'd forward anything vital to the appropriate people.
  • There's a bunch of sites that have the same effect. Like http://www.erikaweb.com/misc/hotmail.htm, for example. Just go to AltaVista and search for "hotmail login -host:*.hotmail.com".

    It seems like Hotmail doesn't check for the password when you first open the mailbox when the referring page is not in Hotmail's domain. Big hairy bug indeed.
  • And if Passport was Open Sourced (whoever said this should be shot, IMHO), EVERYONE would know how to hack it. My God man.

    Think again. You are making the famous appeal to Security Through Obscurity. If Passport were open-sourced, people would find the bugs and fix them, instead of sitting on them and hoping no one would notice the way Microsoft does with all its products.

    Beer recipe: free! #Source
    Cold pints: $2 #Product

  • looks like they disabled that cgi.
  • There are a lot of people who were doing illegal things through Hotmail who are potentially under surveilance through this insecurity. I don't really care about them. (I'm not talking about the person who occasionaly forgets that Microsoft Word or Quake 2 or whatever is a commercial product, but more the people who put up a tonne of stuff and use it to generate money whether through banner ads or subscriptions) I am concerned for the people who wanted anonimity for legitimate reasons. Maybe they were anonymously subscribed to sexual abuse survivor mailing lists or online support groups for the differently gendered.

    A lot of people are going to state that these people were stupid for relying on a Microsoft service, but where are they supposed to go? It isn't stupidity so much as a lack of education. This is compounded by the people who are technically capable of doing the educating. Too many of them are too busy looking down at the unwashed masses to communicate the options and hazards involved with the various options.

    A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile) which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.

    There are probably others (I don't use anonymous email myself, I do use services that allow me a perpetual email address for non-critical stuff, like providing head hunters a consistant address)
    but the only thing you really hear about are Hotmail or Lycos etc.


  • It's not a matter of who owns it; rather, the underlying pattern of lax security that has become a hallmark of Microsoft implementations. This is not the first example; take, for example, Windows' e-mail attachment handling (which allowed the Melissa virus to flourish, over a decade after the Internet Worm should have taught everyone a lesson), ActiveX (which can either be disabled or insecure), and the numerous NT security flaws.

    Microsoft have a culture which assumes that networks are controlled and orderly, much like corporate LANs, rather than the chaos of the Internet. This comes up in their assumptions, and their lack of attemption to security. The Microsoft Passport hole is merely the latest example.
  • by Oestergaard (3005) on Monday August 30, 1999 @03:38AM (#1717403) Homepage
    I guess this proves that no matter how secure your platform is, the people who write the apps still need to have a clue about security.

    It doesn't matter that UN*X or Linux are secure, when the apps that run on them aren't.

    Except from removing sprintf/sscanf and friends from the C library, does anyone have any good ideas about what could possibly be done to increase the probability of some daemon being secure ?

    Buffer overflows are a frequent coding error, but other exploits also happen (like much of the Java disasters in browsers previously). Also, simple design errors in an authentication sequence can cause the wrong people to get access, even if the code implements the intended algorithms perfectly.

    One can write an insecure program in any language using any tools. But how can we seek to increase the probability that developers don't fall into these pits of insecure code writing ?

    We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
  • Great. Yet another software patent-weilding money grubber. From the HushMail FAQ page:

    HushMail implements patent-pending technology known as a "Public Key Cryptosystem with Roaming User Capability." That means that the only people who can read your HushMail are the people that you send it to. It also means that you can access your account from any computer that has a Web browser and Internet access, anywhere in the world! Remember that you can use your HushMail account to send email to anyone on the planet, but to take advantage of our 1024-bit encryption, all parties sending and receiving email must be using HushMail.

    So to be useful, you just have to get all of your corresponents to also use HushMail. Right. Forget about all the existing PGP users. And how can you get a patent for something that is already widely available? Why all you have to do is tack 'Roaming User' onto the end of the description and Poof! The software patent fairy grants your wish. Watch out world, I got a patent so I can sue your ass off if I feel like it!

  • I can't get it to work (trying at 1:12 CST) I get a Fobidden, Don't have permissions to access /cgi-bin/ error...
  • And I had commercially sensitive data in my email (which would be stupid on a non-POP3 server)

    I hope you're not inferring that it's a good idea to pass data through a POP3 server. Not sure if you've encountered this one yet, but POP3 (and most of its kindred) send passwords and mail in the clear, the same way hotmail does. Indeed hotmail would be slightly more secure, since the passwords are likely sent in a POST form, which is mime64-encoded and thus very slightly protected against casual over-shoulder interception. Further, POP is a much more common target for interception since its use is so widespread and the format is quite standardized.

    "Secure mail," inasmuch as that can be taken as anything but a contradiction in terms, involves stuff like a secure transmission client, encrypted channels all the way from sender to recipient, storage in encrypted form or on a cryptographic filesystem on a trusted, isolated server, and a secure reception client. At present hardly any such systems exist. The ones that do -- well, they don't run POP3.

  • We still need C, we still need string handling, and since every system has it's own way of authenticating users, it seems there is little to be done at all.
    Well, I haven't dealt with authentication myself, but if I had to, I'd begin by taking a close look at PAM rather than rolling my own.
    --
  • I wrote: Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.

    Hee hee... s/ASP/cgi/

    So this just means it's lousy coding. No surprise there. cgi-bin's been a scary thing to have on your system for a long time.
  • From netcraft [netcraft.com]:

    lw4fd.law4.hotmail.msn.com

    lw4fd.law4.hotmail.msn.com [msn.com] is running Apache/1.3.6 (Unix) mod_ssl/2.2.8 SSLeay/0.9.0b on FreeBSD [slashdot.org]
  • Ah.

    So that's why I couldn't read admin@hotmail.com's mailer error messages.

    ;^>
  • Anonymous Coward writes
    How abouts some more information concerning the crack -- was it something unique to hotmail or a general flaw everyone needs to be concerned about? (I seriously doubt hotmail will be very forthcoming with this information.)

    I agree. Why haven't I seen this on Bugtraq yet? I'll admit I've haven't been reading very closely, and Bt isn't really the right forum for that, but things like this usually hit the fan there about a week or so ahead of mainstream media (that counts /. these days).

    Is this a compromise of the system behind hotmail or of the hotmail ASP itself? My guess would be the latter, ASP is good at making cute web pages, lousy at doing so with efficient code, worse at making them secure.

    Btw, someone want to moderate up that (intelligent) AC comment?
  • didn't improve it? Are you serious? It's changed quite a bit since they bought it... not to mention "cool" things like integration with MSFT Passport. Now there's a good idea. Place credit cards, mailing addresses, and passwords into our cool online service so that crackers know exactly where to hit the mother lode.

    Sujal

  • It's a good idea, but best left decentralized (i.e. maybe a standard extension in the browser or some such idea). The idea of a single server for this type of information just scares me.... cracked once and a whole lot of people are in trouble. And, by it's very nature, it can't be protected in the same ways as credit card computer systems and bank systems (firewalls and dedicated networks).

    Sujal

  • by el_nino (4271) on Monday August 30, 1999 @03:38AM (#1717414) Homepage Journal
    Now, I was gonna tell you the address, but I guess since the holy Commander Taco sez not, I guess this isn't a full disclosure forum. Though someone will probably tell you anyway.

    Anyway, I've been told they they use "Microsoft Passport" and that's whats been cracked. Why didn't they just leave it as it was, since they've already failed to move it to NT? Are they still trying to move it to NT, or do they use it because they have to feel they're using at least some MS s/w?

    Well, I guess they're too embarrassed to talk about it...
    %japh = (
    'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
    'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
  • by el_nino (4271) on Monday August 30, 1999 @03:45AM (#1717415) Homepage Journal
    Oh well...

    http://www.2038.com/hotmail/
    %japh = (
    'name' => 'Niklas Nordebo', 'mail' => 'niklas@nordebo.com',
    'work' => 'www.pipe-dd.com', 'phone' => '+46-708-444705'
  • Consider this ironically timed story on the front page of www.zdnet.com:

    Microso ft Makes Reading Easier. [zdnet.com]

    Yes. It seems they do.
  • Yeah they just had to increase their hw by ~8000% first(maby?).


    LINUX stands for: Linux Inux Nux Ux X
  • Looks like it is gone now- could anyone describe it?
    -luge
  • I take that back. Holy crap indeed. Thank goodness for free school email (not that it wasn't cracked in January, but whatever...)
    -luge
  • Just pulled ALL my stuff off hotmail (6 accounts) and notified all hotmailers that I know of the crack. Also fired off a nastygramme to Hotmail about their aircraft-carrier-sized hole in security.

    I basically mimiced the first guy who responded to this particular post. "Holy crap!"


    Chas - The one, the only.
    THANK GOD!!!

  • This is exactly why I would never ever do anything but trivial conversion over something like a hotmail account. Sure, sombody could hack into my box, but a hotmail account is just begging for it.

    Chilli

  • Sure you need good software to make a good system, but in the end it is the administrator who makes the difference. So, at least we know who to blame ;-)

    Chilli

  • Good point!

    Chilli

  • > At least their encryption isn't just XOR-based. :)

    Well, in fact many REAL (&safe) encryption algorithms are run in the xor-with-the-plaintext mode. As long as the bitstream that you XOR with is sufficiently unpredictable, that is perfectly safe.

    You're thinking about xor-with-a-fixed-string or somethink like that. That's stupid.

    You're bashing on XOR for no good reason. Leave XOR out of it.... ;-)

    Roger.


  • Perhaps this is obvious, but this is not just a stolen password list. I changed my password on Hotmail, and the crack URL still happily lets me in.
  • by bgarrett (6193) <(garrett) (at) (memesis.org)> on Monday August 30, 1999 @03:36AM (#1717426) Homepage
    I'd like to jump in and beg people not to start screaming about "Microsoft's sucky security" until we get more information about the exploit that was used, if any is available (I'll be watching BUGTRAQ for this).

    Remember, Hotmail uses both Solaris and NT in various capacities.

  • > I block anything from Hotmail anyway, since only
    > spam ever comes from Hotmail, so who cares?


    The last time I got spam from Hotmail, I sent an irrate letter to them. In reply, I got a very nice letter (sorry, don't have the person's name) explaining that all Hotmail mail gets an X-Originating-IP: header tacked on. So you can just filter on the existence of that line.

    Here's my procmail recipe which does just that:


    :0 H:
    * ^(From|X-From-Line|Return-Path):.*hotmail\.com
    * !^X-Originating-IP:
    junk

  • Yeah, and have your password transmitted in clear text to your ISP. If you didn't know, this is the biggest drawback of POP3. Use IMAP instead.
  • It appears that certain operations are geared off of "registered IP addresses". So, if your brother has ever checked email from your machine, you can get to his account.

    --Joe
    --
  • by Mr Z (6791) on Monday August 30, 1999 @04:14AM (#1717430) Homepage Journal

    Folks, in the interest of injecting some FACTS in the discussion, here's my analysis of what the hack does. It merely generates a URL of the following form, where all of the non-italicised text can remain constant:

    http://207.82.250.251/cgi-bin/start?curmbox=ACTIVE &js=no&login= username &passwd=eh

    In other words, the view/edit mailbox functionality appears to not check the password field, plain and simple. It's just plain bad CGI programming, not an OS or webserver issue.

    --Joe
    --
  • I think they have something set up which monitors the IP your coming from, and seeing how your using it. I tried it a few times and it worked, but then it died. Perhaps the system is sort of crippled -- and realizez your multiple attempts using this one url, and blocks you out.

    Dunno


  • This is one reason why I avoid web mail. I prefer pop3 where the mail only sits on the server for a short time, and is then pulled down to my own system.

    Plus your local ISP's pop server is not a high-profile target like Hot mail, making it far less likely to come under attack.
  • "Where were you when you heard that Hotmail was cracked?"

    Michael
  • "Where were you when you heard that Hotmail had been cracked?"

    Michael
  • HOW much does a hotmail account cost you?
  • Yeah - logging in has worked fine, the five times I've tried it. The first four times I didn't read anyone's email, because I knew the people; I just picked a username at random and tried to open an email just now...

    IE 4.5 isn't allowed on grounds I don't have cookies enabled. Bullshit; I'm using slashdot.

    Just tried a sixth - same effect. I can see a listing but not view email. And the same result with Communicator 4.61-Mac.

    Hmmmm....
  • The page at 2038.com just redirects to :
    http://www.microsoft.com/security/default.asp

  • Hmm, that doesn't seem to work for me. perhaps the Swedish site is adding a cookie which has a value set by a simple XOR of the username or somesuch obvious device.

  • So the question is, just how long will it be before Hotmail admins wake up and pull everything down ?
    • original /. post was at August 30, 09:23 AM EDT;
    • At 3:50pm UK, ie. 9:55am EDT the exploit still works;
    • Only *one* other media story AFAIK -- on The Register [theregister.co.uk] -- sorta fun to see who picks it up next ...

    BTW it's a public holiday in the UK, so double plus good to the Register.

    OTOH, 'there but for the grace of god'. How many of the sysadmins here are > 95% sure they've covered every hole & patched every exploit on every one of their systems ?

  • OK, so two minutes later (4pm BST, 10am EDT) it's blocked at last -- approx 40 mins from the first /. post. Anyone know what time news leaked before that ?

  • I absolutely agree. I do seem to have made some progress in increasing awareness; and I've decided to leave anyway, for (partly ;) ) unrelated reasons ...
  • Trust == reputation == value to an operation like Hotmail, and this is going to make them a laughing stock.

    In the last year my PHB has heard of Amazon, which is great, because now I'm being *asked* to do interactive / DB backed web stuff -- "like that Amazon thing". I can also defend Perl, *nix etc as credible because "Amazon use it !" & not have him glaze over.

    Now with a bit of luck I'll be able to convince him that we really *should* have some sort of basic security policy. What with us having access to info on billion dollar deals, and users running around with Windows 95 laptops, and so forth ... "Remember what happened to Hotmail !" I shall say, "See, even the mighty Microsoft are not immune to security problems ... " In his eyes, if MS. can be cracked, anyone can ...

  • ..that it was almost exactly a year ago that this exploit [rootshell.com] was discovered...
  • OK, what he's talking about here is a class of security problems called buffer overflows. Basically, the problem with sprintf is that its output goes to a string - which has a defined length. This string could be a buffer array for data within the program. Thus, if the original data used for the input to the sprintf can be altered by the user (for example, through environment variables or program options), it allows a random user to stuff data in areas of memory past the end of the buffer array. If this buffer array is in a predictable position (as it might well be on the stack), a skilled cracker (or a script kiddy with a ready-made program) would be able to shove hand-tailored data onto the stack, which if executed could be made to give root priveleges to the cracker. The fix is to use snprintf instead (which requires the length of the buffer array as a parameter).

  • I came upon this a few weeks ago while working on a simple to use menuing option for the administrators at my website. There are about 10 of us covering different aspects and we all take responisibilities answering emails and decided to keep the hotmail account one of us had set up.

    I set up the 'click here to check email' on our menu, with all the form filled out as it was on the M$ site and it worked...I then noticed that it didn't require the password, but I thought that was because it had been cached some how. I tried it again from my laptop later that night (after forgetting to fix it) and it worked...hmmm...the next day I tried it again and the login proceedure no longer would let me access it even once I had the password entered in the hidden form...it'd only take me to the front login page.

    Maybe this was just a temporary whole...shit I have kept holes wide open in attempts to keep my machines running at times while I'm working on something. To my former boss, there ain't nothing worse than a downed machine...he'd even accept hackers broke the system, but it was running than downing it. Lucky my latest one, cares more about protecting valuable information than someone being inconvienced...

    clif
  • There is some new exploit for wu-ftpd, proftpd, BeroFTPd going around.. I just got news of it from security mailing lists this morning. Basically, if you are using wu-ftp version prior to 2.5.0 you'd better upgrade!! I am not sure what versions of proftpd are vulnerable.. I just disabled the copy running on my home machine.
  • Since this appears to be a stupid CGI bug/human error keep in mind that chances are a UNIX admin wrote the CGI script since hotmail does UNIX.

    I would disagree. My guess is that they gave the job to write the program to some MCSE certified drone. However, of course the guy quickly found that the MCSE doesn't cover CGI, and the guy had no clue. Incompetence reigns within the MCSE "community." Perhaps next time Microsoft will hire a real CGI programmer. Of course, as they point out in their whitepapers, they'd have to pay a Unix CGI programmer more.

    -Brent
  • Why don't you post the URL, since this is a public forum, and you're only sharing public information.
  • First off it's solaris/bsd not NT. Second, it's not an OS related security issue at all. It's just sloppy programming in the hotmail setup itself.
  • by dirty (13560) <dirtymatt@@@gmail...com> on Monday August 30, 1999 @04:20AM (#1717450)
    From what I've seen basically Hotmail trusts a certain URL to be accurate w/o doing any verification of the password. This isn't an NT issue or a Solaris issue or any other OS related security hole. It's just bad programming on the part of whoever wrote the offending code. Whether it was MS who messed up or the people who originally wrote hotmail I wish I knew.
  • From a ZDNet Message:

    MSN Messenger Service disabled?

    Since Microsoft has 'fixed' the security hole earlier this morning, my MSN Messenger service will no longer all me to directly login to my Hotmail Inbox. That's the only reason I even use the shitty service...

    Coincidence? I think not.


    Any MSN Mess users confirm this?
  • When trying to view a Hotmail inbox of MSN Messenger you get this:

    Forbidden You don't have permission to access /cgi-bin/start on this server.

    It's either something on Hotmail's end or something that will require an update for Messenger and how
    it connects to Hotmail.
  • substrate wrote:
    A few years ago there was a true anonymous mail service based in (I think) Finland. It was something like penet.fi (its been awhile)

    anon.penet.fi, yes. Read the story of its demise [penet.fi].

    Key details not found there (unless you poke around some) are that the court case involved anonymous e-mail sent by a critic of the Church of Scientology, a lawsuit brought by Scientologists in Finland against Julf, and the subpoena served on Julf by reluctant Finnish police. Julf had simply hoped this day would never arrive; when it did, somewhat more quickly than he had expected, he was caught off-guard. Since he realized that he did not have the resources to protect the users of the service, he closed it.

    which did do the job of servicing users anonymously well. The machine which did the work wasn't even physically connected to the internet except by UUCP connections over a phone line several times a day. Latency was large, but it did provide security.

    Julf did a great job with anon.penet.fi, but let's not oversell it. The anon.penet.fi did nothing more spectacular than remail your text with its headers. There were instances of the service being spoofed, accidentally revealing addresses, and being abused by someone with prior (social) knowledge of the real e-mail address associated with an anon.penet.fi address. And in the end, it all boiled down to Julf: did you trust him? He was honorable, but that wasn't guaranteed.

    Nevertheless, many thousands used the service mainly because it was the easiest anonymizer to use. And yes, as many security geeks pointed out endlessly, the ease of use made it more vulnerable than other systems.
  • Enoch Root (root@eruditorum.org) wrote:
    The story at CNN Interactive is interesting, because they're taking credit where credit arguably goes to Slashdot. [snip]

    • Shortly after CNN Interactive posted the story, one of the sites, based in Stockholm, Sweden, was changed to a simple message, "Microsoft rules."

    Funny. The story was posted on CNN after it was reported here, and Hotmail went down at around 11:45 AM EDT, following the assault of /.ers. Besides, they don't mention the URL; how the hell could the CNN readers find it?

    You're reading too much into that sentence, Enoch. They were simply editing the article; I read the first version, where they implied that the Swedish site was still up, but when it was blanked, they changed that sentence and almost nothing else. I don't think it was an attempt to take credit.

    WHat bugs me about all the mainstream articles I've read so far -- CNN, even News.com -- seem to believe that the crack was only possible with the CGI script. The Hotmail PR line is "advanced programming techniques" -- which news.com swallowed whole hog. Fortunately ZDNet is reporting that "a simple HTML script" (long way to say "URL") could also thread the security needle.
  • miyax writes:
    If they can do this to Hotmail that means, just as easily, they can do this to any web-based e-mail service.

    Uh, actually, no. That should read "to any badly-programmed web-mail service". See, they didn't invent some gosh-darn super-duper smart-agent neural-net jacked-into-the-matrix hack; they found out that Hotmail hadn't locked all the doors, that's all.

    (Sadly, that's pretty much the case with ANY system cracking.)
  • I don't think it's possible to use Lynx. See here for why.
    http://www.machineofthemonth.com/misc/ma0.html
  • Forget the security implications for a moment. Why not start cracking the email accounts for fun? For example, there are a number of Congressmen who use Hotmail accounts. And folks in the media (think: anchors). Heck, even Monica Lewinsky used Hotmail, right? (Try: mlewinsky.) There could be a lot of fun had here before Hotmail fills the hole. (Which I'm surprised they haven't done yet.)
  • No, Microsoft didn't start Hotmail. However, Microsoft did start the Passport integration. In the course of doing this, they modified CGI scripts and failed to think through the security implications of what they were doing. Which is par for the course for MS. End result: because of a stupid error by MS, large numbers of people had e-mail compromised. In any competent setup, this error should be caught before going into production. In most Unix shops, it would get caught. Around MS, failure to catch things like this is endemic, which is why I don't trust their products from a security standpoint. I'm just happy I don't need Hotmail to get Web-based e-mail.

  • I hope nobody else thought I was accusing FreeBSD of being insecure! It just sounded like Bendawg thought Hotmail was running on top of Windows. Er, maybe not. Whatever. Bottom line is, MS can make anything insecure.
  • Well, I saw it coming. I was never a friend of web based freemailers, anyway, especially not hotmail. However, it would be interesting to know more details on this hack. Is it just a hotmail problem? What about other freemailers such as yahoo? is there some official statement by hotmail? Inquiring minds would like to know.
  • Well the how seems "simple"... it's a security hole. In the URL that the little script generates, you can change the password=eh to pasword=xxx, or whatever, and it still works. You can also change the user account name to some other account name and it still works. In Fact, you can have an empty passwd= part in the url and it works....

    So basically what think this is, is simply access to a machine that normally users only get directed to once they've gone through the login process. Also, normally the parameters in Hotmail's URL's are encoded or something, but I wouldn't be surprised if what we see encoded in normal Hotmail access decodes to the URL type syntax this script generates.

    I just wonder what a CURMBOX is...

    If this is true, it just took someone to decipher the url encoding, and voilá.... and knowing MS, it's probably ROT13 or something.
  • It's still working... I can't believe something like this is possible - and it's not even /.'ed :)

    Why don't MS just block requests from the referring host in question? How hard can it be?
  • no kidding...
    lets face it - security holes pop up on all platforms, *nix, windows, whatever. the key is how a company responds to the holes and m$ doesn't seem to have learned that lesson. they figure they can keep everyone in the dark for as long as possible.
    the same thing happened with the big iis hack a couple of months ago
  • Hotmail doesn't disconnect their service like eh.... right now seems a good time! I mean... this seems like the sensible thing to do now...
  • ...without actually looking at a real person's mail, just use one of those addresses you get spam from. pplegal for example - it's full of bounced spam, of course.
  • This was the headline of a tabloid here in Sweden this morning. Though at the time I assumed it was just more Internet FUD. Could it be that we are finally seeing public awareness to network security??? Hopefully we can smudge Microsoft over this story in in the popular press.

    -
    /. is like a steer's horns, a point here, a point there and a lot of bull in between.
  • but made less funny by the fact that they don't run hotmail on MS-ware, as of the last I heard.
    Yipes!
  • by Enoch Root (57473) on Monday August 30, 1999 @04:00AM (#1717577)
    I find it amusing that it would come to this. Hotmail keeps saying in TV ads that they're "perfectly secure and private" because they prompt you for a PASSWORD when you try to access your mailbox. Whatever means was used to crack Hotmail, I think it's a good thing. It will make people realise a system is not secure because the company hosting it says so.

    This reminds me of Bruce Schneier's saying: There are two kinds of security: the one that will keep your sister out, and the one that will keep the Government out. Guess which Hotmail is. And nowadays, I've known 14 year-old female hackers, so Hotmail is probably not even secure against your little sister. :)

    On a side-note, secure Web-based, free Email does exist. I urge everyone to visit HushMail [hushmail.com] for Email with a real security. At least their encryption isn't just XOR-based. :)

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • Well that's interesting.... it seems as if this might be caused by Microsoft Passport. After all, since Microsoft Passport is Microsoft's new 'tool' for getting into websites without reauthenticating, they had to have some FUD to promote it..... Take a look here [passport.com] to see the MS FUD on "Passport Security".

Recent research has tended to show that the Abominable No-Man is being replaced by the Prohibitive Procrastinator. -- C.N. Parkinson

Working...