Bugtraq mailing list archives

Multiple vulnerabilities with Outblaze-based e-mail providers

From: sozni () USA NET (.sozni)
Date: Wed, 23 Feb 2000 08:02:58 MST

Alert:  Multiple vulnerabilities with Outblaze-based e-mail providers
Date:   February 16, 2000
Author: .sozni

Overview
----------------------------
By using authentication strings in the URL after logging in to a mailbox,
Outblaze-powered e-mail accounts are left vulnerable to unauthorized access. 
Anyone who discovers that string before a login session expires can gain full
access to any Outblaze-powered e-mail account.  By including HTML tags in an
e-mail message, one can easily obtain the authorization string for a login
session.  HTML can also be embedded within a subject so that the victim need
not even view the e-mail to be vulnerable.  Hijacked login sessions are not
recorded in the login history.

Outblaze-powered e-mail servers are also vulnerable to embedded Javascript and
cross-site scripting exploits in both the message body as well as the message
subject. 

Description:
----------------------------
I was recently setting up an e-mail account with one of the many free e-mail
providers.  After creating my account and logging in, the url in the address
bar caught my eye.  The URL was as follows:
http://www.TheFreeProviderIused.org/scripts/common/outblaze.main?welcome&sozni&aaWaFwF60aqFc

The first parameter was obviously my login but the second parameter looked
suspiciously like a DES-encrypted password.  At first thought I determined
that passing the password hash over the wire isn't really the most secure way
of authenticating.  However, its still better than basic HTTP authentication.
But after thinking about it a bit I realized that since my password was part
of the URL, it was also going to show up in my internet cache and history as
well as any proxy server logs I use along the way.  All someone would have to
do is copy the URL and then run it through something like John the Ripper.  

So I created a text file containing the text "sozni:aaWaFwF60aqFc", added my
password to my wordlist (otherwise it would take 3 months to crack it), then
ran john the ripper on it.  As I sat there staring at a blank DOS prompt, I
suspected that I was wrong in my suspicion. Surely, john should have cracked
it by now.  But then something occurred to me.  Whatever that encrypted string
was, it must be some sort of authentication.  And since it was actually part
of the URL, I really didn't have to know what it was, all I really had to do
was just send it exactly as it was.  So I closed all my browser sessions,
deleted all my cookies, and then pasted the URL I saved into a new browser
window.  Sure enough, I was dropped to my inbox without having to logon.  So I
went over to another pc, fired up the browser, pasted the URL and once again I
was at my inbox--no login prompt at all. Just to double-check, I had a friend
from Europe try the url and he too was dropped into my inbox.

So at this point I see that we have a big problem.  Anyone who has access to
my browser history or cache, has access to any proxy server logs, or who
sniffs somewhere on my wire will be able to get into my e-mail account.  And
although that is a big risk, I still have a little comfort in knowing that
anyone who would be in any of those positions I could presumably trust not to
read my e-mail, right?

However, it does get worse.  I wondered what would happen if I sent myself an
html e-mail that included a link to my web site.  I sent myself such an
e-mail, then checked my Outblaze-powered inbox and followed the link on the
message.  A quick look at my server logs revealed that the HTTP_REFERRER
variable contained a url similar to the one I showed above.  In other words, a
login and authentication string to get into my inbox.  The bottom line here is
that if you send someone an e-mail with a link to a site where you track
HTTP_REFERRER, you can get into as many mailboxes as you want.  

The issue here is that Outblaze doesn't seem to keep track of sessions via
cookies nor does it use HTTP authentication.  Therefore anyone with a valid
URL that contains the correct login information can connect directly to your
inbox.  With Outblaze claiming at least 3.5 million users, this is a very
serious issue.  

The scary thing is that you don't even need to send Javascript or really even
html to get this to work.  Outblaze will conveniently convert any URL in your
text message to clickable hotlinks for you.  All you really need to do is
create some sort of hyperlink that someone would want to click on.  With a
little creativity, that isn't that difficult.  In fact, if you do want to use
html, they really don't have to click on anything at all.  You could simply
put the link back to your site as an IMG SOURCE tag.  So even if you have
Javascript disabled in your browser, just viewing a malicious e-mail can give
anyone full access to your account.

And of course, they don't filter out Javascript so if you really want to get
tricky you can embed some script and do all sorts of fancy things.  Cross-site
scripting comes to mind here.

But, it gets much worse.  You don't even have to view the e-mail message to be
vulnerable.  A properly constructed subject line with the appropriate html
tags can give someone access to your account without you even reading their
e-mail.  All you have to do is look at your inbox.  Normally, if you get an
e-mail you don't trust, you can just delete it without reading it.  But in
this case, just having the message in your inbox is enough.  And if you do see
a message with a malicious subject in your inbox, its already too late.  I
must say that it is pretty cool to be able to put a picture and hyperlinks in
the subject of your e-mail, but that capability moves this threat from serious
to critical.

Now in testing all of this, I was relieved to see that Outblaze has an
impressive feature that shows the details of your previous login on your
welcome page.  And if you click on it, you can view a complete login history
for your account.  I thought that although there is this big vulnerability,
you would at least know if an intruder had been in your inbox.  However, after
close inspection, I realized that when you hijack an existing session, the
access is never logged at all.  The log entry seems to be created by the login
authentication script and since we are bypassing the login script our
connection is never logged.  The result is that not only do we not know of an
intrusion, but we have a false sense of security because all we see in the
login history is our own ip address.

A note on the encrypted string of the URL, I didn't really do much research on
it at all because I really didn't even have to know what it represented.  I
did notice, however, that it changes each time you login to your account. 
Therefore, rather than being an encrypted password or a password hash, it is
more likely some sort of session authentication.  As far as I can tell, it is
a function of the username and the time.  I couldn't use the same string for
another inbox, but if I logged into one account simultaneously from two
different browsers I got the same string.  I also know that a login string is
valid until it times out.  I am not sure exactly what the timeout is, but I
know that it lasts at least a few hours but not more than a day.

Wise people learn from the mistakes of others, but when it comes to internet
security, we keep seeing the same mistakes being made over and over and over. 
As soon as someone comes out with a new internet server daemon, the first
thing we do is try to overflow it.  And usually we are successful.  When a new
webserver comes out the first thing we do is try to traverse outside the
webroot.  And again usually we are successful.  Microsoft has already been
through all this stuff with Hotmail, and yet Outblaze is now suffering from
the very same problems.  Is it Microsoft's fault for not sharing their wisdom
or is it Outblaze's fault for not learning from the mistakes of others?  

Some of you may think that getting into someone's e-mail account is no big
deal, but looking at my own inbox I realized that most of the messages that I
save usually contain passwords for other systems, confirmation of credit card
orders, or registration codes for software I have purchased.  In fact, the
only reason I ever do save something is because it contains something
important.  Needless to say, it was a wakeup call for myself that until we
make some great progress in internet security, we should consider our Inbox
Public_HTML.

The Fix
----------------------------
Really, there is no fix until Outblaze changes their method for
authentication.  You can disable Javascript which will protect you some, but
someone can still easily get access to your account.  You can make sure you
don't save sensitive messages on public servers.  Oh, and you could use a
text-based web browser to access your account, such as Lynx or even Sam Spade.
 Finally you could unplug your computer and not use the internet at all.

Vulnerable Providers
----------------------------
Here is a partial listing of Outblaze-powered serves, but searching for
"Powered by Outblaze" on an internet search engine would reveal more:

Amuro.net         joinme.com           startvclub.com         
boardermail.com   jpopmail.com         surfy.net              
bsdmail.com       keromail.com         taiwan.com             
dbzmail.com       kittymail.com        uumedia.com            
doramail.com      mailasia.com         uymail.com             
fastermail.com    mailpokemon.com      webcity.ca             
gigileung.org     marchmail.com        windrivers.net         
glay.org          norikomail.com       wongfaye.com           
grabmail.com      otakumail.com        yyhmail.com            
graffiti.net      outblaze.net         linuxmail.org
gravity.com.au    outblaze.org         
hackermail.com    pokemonpost.com      
i-p.com           pokepost.com         
isleuthmail.com   samilan.net          
jaydemail.com     searcheuropemail.com 

At this time, Outblaze has been informed of the problem and (I hope) is
working to solve it.  It is important to note that Outblaze is not the only
company vulnerable to this type of attack.  I have seen hundreds of sites that
use similar authentication methods that would be just as vulnerable.

.sozni
sozni () usa net

Copyright (C)2000 by .sozni, all rights reserved.  Permission is hereby
granted to copy or redistribute this advisory unmodified and in its entirety.

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:

Re: unused bit attack alert Vern Paxson (Feb 21)
- Microsoft Security Bulletin (MS00-012) Microsoft Product Security (Feb 22)
- redhat 6.0: single user boot security hole Darren Reed (Feb 22)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
  - SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
  - DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
    - Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- <Possible follow-ups>
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
  - Re: unused bit attack alert Max Vision (Feb 24)