[ SOURCE: http://www.secureroot.com/security/advisories/9735787183.html ] Wed, November 01, 2000 www stoev org SUMMARY Hotmail can act as email size amplifier with a factor of at least 1000, allowing flooding and mail-bombing a victim while using a negligible amount of your own bandwidth. If it were a smurf-like amplificaton, Hotmail will be No. 5 in the ranks smurf amlifiers. DESCRIPTION An issue exists in the way Hotmail handles the "attfile" hidden form field on their Compose Message form. Normally, this form field contains information on the attachments that are to be sent with the message being composed. The problem is that it is possible for this form field to reference one and the same attachment several times, which will make Hotmail send this attachment as many times as desired with the outgoing mail. The amplification occurs because the attachment is actually uploaded only once, while Hotmail sends it several times to the end recepient (victim). You can have a 22k attachment mailed 1000 (one thousand) times to the receiver in a single email. You only loose about 100 K of bandwidth total, while the victimized person needs to loose 22 MB of incoming bandwidth to receive the message (and Hotmail needs to waste at least as much to send it). STATUS Secure@microsoft.com was informed about the issue on Sun, 29 Oct 2000 23:42:43 +0200 and, on Tue, 31 Oct 2000 18:18:31 -0800, they replied as follows: "Wanted to let you know that we were able to reproduce the problem you reported. The Hotmail Security Team has identified the changes that are needed, and is implementing the change even as we speak. New system software is loaded every two weeks, and the next scheduled update is 14 November. We'll make sure that the change is included in that update." I interpreted this reply as a sign that they do not consider this issue a serious one, so I decided to disclose it. Please flame me if I am wrong. A proof-of-concept (both a bomb and the code) is available upon request from properly identified (corporate) parties. FIX It seems that there will be no fix until November 14, apart from filtering. Vendors of other web-based email systems and web-to-smtp gateways are hereby advised to check their mail-sending and attachment-uploading code for allowing an attachment uploaded only once to be mailed several times. The following free email providers have been found not vulnerable: iname.com, dir.bg, abv.bg. The following email providers are still under investigation, but appear not vulnerable: yahoo.com, netaddress.com. CONCLUSION Never, ever think that simply because something is hidden deeply behind your SSL-secured sever, your login form, your dynamic URLs, your redirects, your referer checks, your hidden form fields, and your cookies, it is safe and nobody will reach it. Hotmail has *all* of those and it did not help. The exploit code makes a total of 5 GET a five 5 POST requests across several domains with several cookies, including one file upload and one SSL connection, not to mention the redirects, but still gets to the point. In fact, no code is the strict sense of the word is needed. There are publicly available tools to do most of the dirty work, or you can modify your proxy server for the purpose. Or simply use netcat.