This advisory is based on legitimate use of a ZoneEdit account,
during
which time the vulnerability detailed below was discovered. This
document is subject to change without prior notice.
The webmasters of this site were informed of this vulnerability on
05 November 2002. To date, no useable information on protecting
against this vulnerability has been received.
If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
via BugTraq.
I. Background
While designing a dynamic dns client to work with ZoneEdit's
control panel to be used with one of our domains for the
public to have free dynamic DNS hostnames we noticed the bug
in the eMail forward section of the ZoneEdit control panel.
II. Problem Description
By having an account on the ZoneEdit server (which is free),
once logged in a user may use the Authorization section of the
HTTP header which allows you to access the protected section.
A user can issue a mail formed command that will Edit web/eMail
forwards or delete eMail forwards. As this is based upon the
ID value in the ZoneEdit database, a user is unable to simply
select a domain to edit - the user needs to guess an ID. Whilst
this is not as insecure as knowing the ID for a domain, it is
still possible to utilise the vulnerability in an arbitrary way.
III. Impact:
ZoneEdit hosts the DNS records for a considerable number of
domains. If an individual or group were to code an automated
tool to automatically modify all ID values in the database,
then thousands of websites could be maliciously forwarded
elsewhere and eMail could be redirected to an alternative mail
box which would allow the attacker to read private eMails.
IV. Solution
We can not be certain of a solution at this time since we
do not have access to the source code of the ZoneEdit
control panel. The IP address section of the control panel
seems to be protected from the vulnerability so it's possible
the developers have failed to add security into the webforward
and eMail forward sections. We strongly recommend the scripts are
reviewed ASAP to ascertain why some scripts are protected
and some are not. Also, each page should check against the
database that the account which is being used is actually allowed
access to the page before any of the page/code is executed.
V. Contact & Credits
matt (at) secondmotion (dot) com [email concealed] - Matt Thompson [Proof of Concept]
paul (at) secondmotion (dot) com [email concealed] - Paul Smurthwaite
VI. Source code
Source code has not been published for security reasons as
it is a single server problem which controls many other web
sites DNS and would result in a mass attack.
A Proof of Concept tool can be provided at short notice on request.
- ----
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
e-mail.
Any and all file attachments to this message are scanned at source
for viruses. This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read. Persistent offenders will be banned from sending email to this
domain.
All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys. This is your guarantee
that the email you have received actually originated from our domain.
More information on PGP can be found at http://www.pgp.com
- ----
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Hash: SHA1
=====================================================================
secondmotion-SM-SA-02-02 Security Advisory
=====================================================================
Topic: ZoneEdit Account Hijack Vulnerability
Announced: 2002-11-05
Updated: 2002-11-05
Tested on: http://www.zoneedit.com Accounts
Not affected:
Obsoletes:
http://www.secondmotion.com
=====================================================================
This advisory is based on legitimate use of a ZoneEdit account,
during
which time the vulnerability detailed below was discovered. This
document is subject to change without prior notice.
The webmasters of this site were informed of this vulnerability on
05 November 2002. To date, no useable information on protecting
against this vulnerability has been received.
If anyone reading this is aware of any further information relating
to this vulnerability, please contact the authors below or report
via BugTraq.
I. Background
While designing a dynamic dns client to work with ZoneEdit's
control panel to be used with one of our domains for the
public to have free dynamic DNS hostnames we noticed the bug
in the eMail forward section of the ZoneEdit control panel.
II. Problem Description
By having an account on the ZoneEdit server (which is free),
once logged in a user may use the Authorization section of the
HTTP header which allows you to access the protected section.
A user can issue a mail formed command that will Edit web/eMail
forwards or delete eMail forwards. As this is based upon the
ID value in the ZoneEdit database, a user is unable to simply
select a domain to edit - the user needs to guess an ID. Whilst
this is not as insecure as knowing the ID for a domain, it is
still possible to utilise the vulnerability in an arbitrary way.
III. Impact:
ZoneEdit hosts the DNS records for a considerable number of
domains. If an individual or group were to code an automated
tool to automatically modify all ID values in the database,
then thousands of websites could be maliciously forwarded
elsewhere and eMail could be redirected to an alternative mail
box which would allow the attacker to read private eMails.
IV. Solution
We can not be certain of a solution at this time since we
do not have access to the source code of the ZoneEdit
control panel. The IP address section of the control panel
seems to be protected from the vulnerability so it's possible
the developers have failed to add security into the webforward
and eMail forward sections. We strongly recommend the scripts are
reviewed ASAP to ascertain why some scripts are protected
and some are not. Also, each page should check against the
database that the account which is being used is actually allowed
access to the page before any of the page/code is executed.
V. Contact & Credits
matt (at) secondmotion (dot) com [email concealed] - Matt Thompson [Proof of Concept]
paul (at) secondmotion (dot) com [email concealed] - Paul Smurthwaite
VI. Source code
Source code has not been published for security reasons as
it is a single server problem which controls many other web
sites DNS and would result in a mass attack.
A Proof of Concept tool can be provided at short notice on request.
=====================================================================
- -ends-
Matt Thompson
- ----
DISCLAIMER & INFORMATION: This e-mail may contain proprietary
information, some or all of which may be legally privileged. It is
for the intended recipient only. If an addressing or transmission
error has misdirected this e-mail, please notify the author by
replying to this e-mail. If you are not the intended recipient you
must NOT use, disclose, distribute, copy, print, or rely on this
e-mail.
Any and all file attachments to this message are scanned at source
for viruses. This organisation has a strict policy on the
transmission of viruses and will not accept ANY excuse for the
receipt of viruses here, as a result of which, any message found to
contain viruses will be deleted at this mail server WITHOUT being
read. Persistent offenders will be banned from sending email to this
domain.
All messages sent from this domain and its specific accounts are
digitally signed using our public PGP keys. This is your guarantee
that the email you have received actually originated from our domain.
More information on PGP can be found at http://www.pgp.com
- ----
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPcfSgRqqCKK1Qd1fEQJvjgCdF8mRaud98hPg6wq0u6CJ2eP+yaYAoKM4
kjPodOWrcGoGBN2GmBHLqqRN
=y0B0
-----END PGP SIGNATURE-----
[ reply ]