Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

ZoneEdit Account Hijack Vulnerability

From: "[secondmotion]-Matt Thompson" <matt () secondmotion com>
Date: Tue, 5 Nov 2002 14:15:30 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
secondmotion-SM-SA-02-02                            Security Advisory
=====================================================================
Topic: ZoneEdit Account Hijack Vulnerability
Announced: 2002-11-05
Updated: 2002-11-05
Tested on: http://www.zoneedit.com Accounts
Not affected: 
Obsoletes: 
http://www.secondmotion.com
=====================================================================

This advisory is based on legitimate use of a ZoneEdit account,
during
which time the vulnerability detailed below was discovered.  This
document is subject to change without prior notice.

The webmasters of this site were informed of this vulnerability on 
05 November 2002.  To date, no useable information on protecting 
against this vulnerability has been received.

If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
via BugTraq.



I. Background

        While designing a dynamic dns client to work with ZoneEdit's 
        control panel to be used with one of our domains for the
        public to have free dynamic DNS hostnames we noticed the bug
        in the eMail forward section of the ZoneEdit control panel.


II. Problem Description

        By having an account on the ZoneEdit server (which is free),
        once logged in a user may use the Authorization section of the 
        HTTP header which allows you to access the protected section.
        A user can issue a mail formed command that will Edit web/eMail 
        forwards or delete eMail forwards. As this is based upon the
        ID value in the ZoneEdit database, a user is unable to simply
        select a domain to edit - the user needs to guess an ID.  Whilst
        this is not as insecure as knowing the ID for a domain, it is
        still possible to utilise the vulnerability in an arbitrary way.


III. Impact:

        ZoneEdit hosts the DNS records for a considerable number of
        domains. If an individual or group were to code an automated 
        tool to automatically modify all ID values in the database,
        then thousands of websites could be maliciously forwarded
        elsewhere and eMail could be redirected to an alternative mail 
        box which would allow the attacker to read private eMails. 


IV. Solution

        We can not be certain of a solution at this time since we
        do not have access to the source code of the ZoneEdit
        control panel. The IP address section of the control panel
        seems to be protected from the vulnerability so it's possible
        the developers have failed to add security into the webforward 
        and eMail forward sections. We strongly recommend the scripts are 
        reviewed ASAP to ascertain why some scripts are protected 
        and some are not.  Also, each page should check against the
        database that the account which is being used is actually allowed
        access to the page before any of the page/code is executed.


V. Contact & Credits

        matt () secondmotion com - Matt Thompson [Proof of Concept]
        paul () secondmotion com - Paul Smurthwaite


VI. Source code

        Source code has not been published for security reasons as
        it is a single server problem which controls many other web
        sites DNS and would result in a mass attack.

        A Proof of Concept tool can be provided at short notice on request.


=====================================================================
- -ends-


Matt Thompson

- ----
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
e-mail.

Any and all file attachments to this message are scanned at source
for viruses.  This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read.  Persistent offenders will be banned from sending email to this
domain.

All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys.  This is your guarantee
that the email you have received actually originated from our domain.
 More information on PGP can be found at http://www.pgp.com
- ---- 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPcfSgRqqCKK1Qd1fEQJvjgCdF8mRaud98hPg6wq0u6CJ2eP+yaYAoKM4
kjPodOWrcGoGBN2GmBHLqqRN
=y0B0
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: