COMMAND

	MSN Chat cross site scripting allows passport cookie access

SYSTEMS AFFECTED

	 All Microsoft \"Passport\" based systems

PROBLEM

	John Heasman [john.heasman@univ.ox.ac.uk] revealed :
	

	--snipp--
	

	Here are two  cross  scripting  situations.  Unicode  is  used  to  pass
	certain characters; converting the whole cross script  part  to  unicode
	further obfuscates the URL  making  it  easier  to  trick  a  user  into
	clicking it.
	

	http://chat.msn.com/chatroom.msnw?rm=%3Cscript%3Ealert(document.cookie)%3B%3C%2Fscript%3E

	

	Note: A URL similar to the one above may be obtained by using  the  form
	on http://chat.msn.com/create.msnw to create a room. The  form  provides
	some basic client-side validation to check for illegal characters  (<
	and >). This advisory goes to show the  client-side  checking  has  very
	little purpose (IMHO).
	

	http://chat.msn.com/invite.msnw?hexUserName=%3Cscript%3Ealert(document.cookie)%3B%3C%5c%2Fscript%3E&hexnick=AAAAA&InvitationCode=123456789&mode=2

	

	Note: As this string appears in quotes I have had to  escape  the  /  in
	script tag.
	

	The implication of the two URLs above is that passport  cookies  in  the
	msn.com domain can  be  stolen  by  tricking  a  user  into  visiting  a
	malicious webpage. This can  be  achieved  easily  since  the  MSN  chat
	control conveniently creates  a  clickable  link  when  it  detects  the
	string http://.
	

	The first URL has a limit on  the  number  of  characters  that  can  be
	present in the cross script, since it represents  the  name  of  a  chat
	room the victim supposedly wishes to join. The chat control  will  throw
	an error about illegal characters in the chat room name if the  page  is
	allowed to load fully (better to put a  window.location=\"about::\";  at
	the end of the cross script if you have room). The  second  URL  has  no
	such limitation.
	

	Let us now discuss the implications for MSN Chat. The above URLs  enable
	an attacker to impersonate another user on the chat  service  and  alter
	his/her nickname and profile. The three cookies  that  are  of  interest
	are:
	

	MSPProf (Profile information)

	MSPAuth (Authentication information)

	MSNChatNN (Nickname)

	

	It is possible for an attacker only  to  use  the  victim\'s  MSNChatNN,
	thus stealing his nickname, but not his  identity  as  such.  Some  chat
	room operators use non- MSN clients to allow use of more  advanced  IRCX
	commands   e.g.   ACCESS   command    to    auto-host    depending    on
	nickname/identity etc. Obviously this is not a good  idea  in  light  of
	this bug.
	

	--snapp--

SOLUTION

	Web site should be patched