[phiphi-01-10-00] Hotmail can act as email amplifier

[Philip Stoev <philip () EINET BG>]

Wed, November 01, 2000
www stoev org

SUMMARY

Hotmail can act as email size amplifier with a factor of at least 1000,
allowing flooding and mail-bombing a victim while using a negligible amount
of your own bandwidth. If it were a smurf-like amplificaton, Hotmail will be
No. 5 in the ranks smurf amlifiers.

DESCRIPTION

An issue exists in the way Hotmail handles the "attfile" hidden form field
on their Compose Message form. Normally, this form field contains
information on the attachments that are to be sent with the message being
composed. The problem is that it is possible for this form field to
reference one and the same attachment several times, which will make Hotmail
send this attachment as many times as desired with the outgoing mail.

The amplification occurs because the attachment is actually uploaded only
once, while Hotmail sends it several times to the end recepient (victim).
You can have a 22k attachment mailed 1000 (one thousand) times to the
receiver in a single email. You only loose about 100 K of bandwidth total,
while the victimized person needs to loose 22 MB of incoming bandwidth to
receive the message (and Hotmail  needs to waste at least as much to send
it).

STATUS

Secure () microsoft com was informed about the issue on Sun, 29 Oct 2000
23:42:43 +0200 and, on Tue, 31 Oct 2000 18:18:31 -0800, they replied as
follows:

"Wanted to let you know that we were able to reproduce the problem you
reported.  The Hotmail Security Team has identified the changes that are
needed, and is implementing the change even as we speak.  New system
software is loaded every two weeks, and the next scheduled update is 14
November.  We'll make sure that the change is included in that update."

I interpreted this reply as a sign that they do not consider this issue a
serious one, so I decided to disclose it.  Please flame me if I am wrong.

A proof-of-concept (both a bomb and the code) is available upon request from
properly identified (corporate) parties.

FIX

It seems that there will be no fix until November 14, apart from filtering.

Vendors of other web-based email systems and web-to-smtp gateways are hereby
advised to check their mail-sending and attachment-uploading code for
allowing an attachment uploaded only once to be mailed several times. The
following free email providers have been found not vulnerable: iname.com,
dir.bg, abv.bg. The following email providers are still under investigation,
but appear not vulnerable: yahoo.com, netaddress.com.

CONCLUSION

Never, ever think that simply because something is hidden deeply behind your
SSL-secured sever, your login form, your dynamic URLs, your redirects, your
referer checks, your hidden form fields, and your cookies, it is safe and
nobody will reach it. Hotmail has *all* of those and it did not help. The
exploit code makes a total of 5 GET a five 5 POST requests across several
domains with several cookies, including one file upload and one SSL
connection, not to mention the redirects, but still gets to the point.

In fact, no code is the strict sense of the word is needed. There are
publicly available tools to do most of the dirty work, or you can modify
your proxy server for the purpose. Or simply use netcat.