Wed, November 01, 2000

www stoev org



SUMMARY



Hotmail can act as email size amplifier with a factor of at least 1000,

allowing flooding and mail-bombing a victim while using a negligible amount

of your own bandwidth. If it were a smurf-like amplificaton, Hotmail will be

No. 5 in the ranks smurf amlifiers.



DESCRIPTION



An issue exists in the way Hotmail handles the "attfile" hidden form field

on their Compose Message form. Normally, this form field contains

information on the attachments that are to be sent with the message being

composed. The problem is that it is possible for this form field to

reference one and the same attachment several times, which will make Hotmail

send this attachment as many times as desired with the outgoing mail.



The amplification occurs because the attachment is actually uploaded only

once, while Hotmail sends it several times to the end recepient (victim).

You can have a 22k attachment mailed 1000 (one thousand) times to the

receiver in a single email. You only loose about 100 K of bandwidth total,

while the victimized person needs to loose 22 MB of incoming bandwidth to

receive the message (and Hotmail  needs to waste at least as much to send

it).



STATUS



Secure@microsoft.com was informed about the issue on Sun, 29 Oct 2000

23:42:43 +0200 and, on Tue, 31 Oct 2000 18:18:31 -0800, they replied as

follows:



"Wanted to let you know that we were able to reproduce the problem you

reported.  The Hotmail Security Team has identified the changes that are

needed, and is implementing the change even as we speak.  New system

software is loaded every two weeks, and the next scheduled update is 14

November.  We'll make sure that the change is included in that update."



I interpreted this reply as a sign that they do not consider this issue a

serious one, so I decided to disclose it.  Please flame me if I am wrong.



A proof-of-concept (both a bomb and the code) is available upon request from

properly identified (corporate) parties.



FIX



It seems that there will be no fix until November 14, apart from filtering.



Vendors of other web-based email systems and web-to-smtp gateways are hereby

advised to check their mail-sending and attachment-uploading code for

allowing an attachment uploaded only once to be mailed several times. The

following free email providers have been found not vulnerable: iname.com,

dir.bg, abv.bg. The following email providers are still under investigation,

but appear not vulnerable: yahoo.com, netaddress.com.



CONCLUSION



Never, ever think that simply because something is hidden deeply behind your

SSL-secured sever, your login form, your dynamic URLs, your redirects, your

referer checks, your hidden form fields, and your cookies, it is safe and

nobody will reach it. Hotmail has *all* of those and it did not help. The

exploit code makes a total of 5 GET a five 5 POST requests across several

domains with several cookies, including one file upload and one SSL

connection, not to mention the redirects, but still gets to the point.



In fact, no code is the strict sense of the word is needed. There are

publicly available tools to do most of the dirty work, or you can modify

your proxy server for the purpose. Or simply use netcat.