MSN MESSENGER HIJACKING Security bulletin by Tom Gilder and Thor Larholm Published February 9th 2002 http://tom.me.uk/msn/ There has recently been reported some privacy problems (see http://www.securityfocus.com/bid/4028) in MSN Messenger. However, these problems pale in comparison to what can be done if you use MSN Messenger through unpatched IE vulnerabilities. Using these, a malicious programmer can easily hijack the MSN Messenger client from a user, allowing him/her (among others) to silently and automatically read their contact list (harvesting email addresses) and impersonate the user by sending arbitrary messages, email or local files to anyone. The victim would be unaware of any such action, and the malicious programmer would in practice be impersonating himself as the victim towards the MSN Messenger client, allowing him/her to do anything with MSN Messenger that the victim would normally be able to. For an example on how this can be exploited, visit the hijacking demonstration page at http://tom.me.uk/msn/demo.html. To summarize, this is not made possible by a bug in the MSN Messenger client. This vulnerability is made possible by the "document.open" bug discovered by "The Pull" (http://www.osioniusx.com/), which has been left unpatched for nearly two months now - see the SecurityFocus page at http://www.securityfocus.com/bid/3721 for more information. However, this would never have been an issue if the MSN Messenger client had incorporated some other kind of authentication than DNS information. This example has been made public to put pressure on MS to patch their vulnerabilities, that they are fully aware of. Many more unpatched vulnerabilities currently exist in IE - for a full list see http://jscript.dk/unpatched/. This exploit has so far been confirmed to work on: * Windows 98 SE with IE6 final (fully patched as of Feb 9) and MSN Messenger 4.6.0073 * Windows 98 SE with IE6 final and MSN Messenger 3.6.0024 * Windows ME with IE6 final (fully patched as of Feb 9) and MSN Messenger 4.5.0127 * Windows 2000 with IE6 final (fully patched as of Feb 9) and MSN Messenger 4.6.0071 * Windows 2000, IE5.5, MSN Messenger 4.6.00.73 It is so far believed to be working in any version of the MSN Messenger client on any OS, though this remains unconfirmed due to a lack of varied test configurations. HANDY LINKS: List of unpatched IE6 vulnerabilities - http://jscript.dk/unpatched/ MSN Messenger - http://messenger.msn.com/ Hijacking demonstration page - http://tom.me.uk/msn/demo.html Microsoft Internet Explorer - http://www.microsoft.com/windows/ie/default.asp SecurityFocus - http://www.securityfocus.com/ The Pull - http://www.osioniusx.com/ Microsoft Recalls Botched Browser Security Patch - http://www.newsbytes.com/news/02/174365.html Microsoft works to fix MSN privacy flaw - http://news.com.com/2100-1001-833154.html document.open bug on SecurityFocus - http://www.securityfocus.com/bid/3721 MSN Messenger privacy problems on SecurityFocus - http://www.securityfocus.com/bid/4028 -- Tom Gilder tom@tom.me.uk