MSN Messenger Hijacking
Security bulletin by Tom Gilder and Thor Larholm
Published February 9th 2002
Please Note: this exploit no longer works. Microsoft patched the vulnerability affecting IE, get it from Windows Update. Keep an eye on the unpatched IE security holes page for more problems though.
There has recently been reported some privacy problems in MSN Messenger. However, these problems pale in comparison to what can be done if you use MSN Messenger through unpatched IE vulnerabilities. Using these, a malicious programmer can easily hijack the MSN Messenger client from a user, allowing him/her (among others) to silently and automatically read their contact list (harvesting email addresses) and impersonate the user by sending arbitrary messages, email or local files to anyone.
The victim would be unaware of any such action, and the malicious programmer would in practice be impersonating himself as the victim towards the MSN Messenger client, allowing him/her to do anything with MSN Messenger that the victim would normally be able to.
For an example on how this can be exploited, visit the hijacking demonstration page. Please note: antivirus programs have started detecting this demonstration as a worm (JS.Menger.Worm), that some idiot script kiddies have created from our demo code. Our code does NOT do anything malicious or send any messages without clearly asking first. We do not support this worm or any malicious code. We do not hold any responsibility for the actions of other people.
To summarize, this is not made possible by a bug in the MSN Messenger client. This vulnerability is made possible by the "document.open" bug discovered by The Pull, which has been left unpatched for nearly two months now - see the SecurityFocus page for more information.
However, this would never have been an issue if the MSN Messenger client had incorporated some other kind of authentication than DNS information.
This example has been made public to put pressure on MS to patch their vulnerabilities, that they are fully aware of.
Many more unpatched vulnerabilities currently exist in IE - for a full list see http://jscript.dk/unpatched/.
If you do not use MSN regularly, and wish to protect yourself against websites sending you messages as you simply disable automatic login (Tools Menu > Options > Accounts Tab, delete the password and hit OK). If you wish to remain using MSN, you can disable active scripting or scripting of ActiveX controls in IE's security settings (Tools > Options > Security > Custom Level).3rd party programs that connect to MSN are not affected by this - as long as MSN is not set to automatically sign in.
This exploit has so far been confirmed to work on:
- Windows 98 SE with IE6 final (fully patched as of Feb 9) and MSN Messenger 4.6.0073
- Windows 98 SE with IE6 final and MSN Messenger 3.6.0024
- Windows ME with IE6 final (fully patched as of Feb 9) and MSN Messenger 4.5.0127
- Windows 2000 with IE6 final (fully patched as of Feb 9) and MSN Messenger 4.6.0071
- Windows 2000, IE5.5, MSN Messenger 4.6.00.73
- Windows XP Pro, IE6 final (fully patched as of Feb 9), Windows Messenger 4.6.0073 and 4.0.0155
It is so far believed to be working in any version of the MSN Messenger client on any Windows version (all other OSes are unaffected), though this remains unconfirmed due to a lack of varied test configurations.
Handy Links
- List of unpatched IE6 vulnerabilities
- MSN Messenger
- Hijacking demonstration page
- Microsoft Internet Explorer
- SecurityFocus
- The Pull (osioniusx.com)
- Microsoft Recalls Botched Browser Security Patch
- Microsoft works to fix MSN privacy flaw
- document.open bug on SecurityFocus
- MSN Messenger privacy problems on SecurityFocus
Copyright © 2002 Tom Gilder and Thor Larholm. Reprinting and linking allowed.
Thanks to VPWSYS for hosting this.