COMMAND
Multiple vulnerabilities
SYSTEMS AFFECTED
Outblaze-based e-mail providers
PROBLEM
".sozni" found following. By using authentication strings in the
URL after logging in to a mailbox, Outblaze-powered e-mail
accounts are left vulnerable to unauthorized access. Anyone who
discovers that string before a login session expires can gain full
access to any Outblaze-powered e-mail account. By including HTML
tags in an e-mail message, one can easily obtain the authorization
string for a login session. HTML can also be embedded within a
subject so that the victim need not even view the e-mail to be
vulnerable. Hijacked login sessions are not recorded in the login
history. Outblaze-powered e-mail servers are also vulnerable to
embedded Javascript and cross-site scripting exploits in both the
message body as well as the message subject.
'.sozni' was recently setting up an e-mail account with one of
the many free e-mail providers. After creating my account and
logging in, the url in the address bar caught my eye. The URL
was as follows:
http://www.TheFreeProviderIused.org/scripts/common/outblaze.main?welcome&sozni&aaWaFwF60aqFc
The first parameter was obviously my login but the second
parameter looked suspiciously like a DES-encrypted password. At
first thought we can determine that passing the password hash over
the wire isn't really the most secure way of authenticating.
However, its still better than basic HTTP authentication. But
after thinking about it a bit we can realize that since your
password is part of the URL, it is also going to show up in your
internet cache and history as well as any proxy server logs you
might use along the way. All someone would have to do is copy
the URL and then run it through something like John the Ripper.
So '.sozni' created a text file containing the text
"sozni:aaWaFwF60aqFc", added his password to his wordlist
(otherwise it would take 3 months to crack it), then ran john the
ripper on it. Nothing. Surely, john should have cracked it by
now. But hey! Whatever that encrypted string was, it must be
some sort of authentication. And since it is actually part of
the URL, you really don't have to know what it is, all you really
have to do is just send it exactly as it is. So '.sozni' closed
all his browser sessions, deleted all his cookies, and then pasted
the URL he saved into a new browser window. Sure enough, he was
dropped to his inbox without having to logon. So he went over to
another pc, fired up the browser, pasted the URL and once again
he was at his inbox--no login prompt at all. Just to
double-check, he had a friend from Europe try the url and he too
was dropped into his inbox.
So at this point we see that we have a big problem. Anyone who
has access to your browser history or cache, has access to any
proxy server logs, or who sniffs somewhere on your wire will be
able to get into your e-mail account. However, it does get
worse. '.sozni' wondered what would happen if he sent himself an
html e-mail that included a link to his web site. He sent himself
such an e-mail, then checked his Outblaze-powered inbox and
followed the link on the message. A quick look at his server logs
revealed that the HTTP_REFERRER variable contained a url similar
to the one showed above. In other words, a login and
authentication string to get into your inbox. The bottom line
here is that if you send someone an e-mail with a link to a site
where you track HTTP_REFERRER, you can get into as many mailboxes
as you want.
The issue here is that Outblaze doesn't seem to keep track of
sessions via cookies nor does it use HTTP authentication.
Therefore anyone with a valid URL that contains the correct login
information can connect directly to your inbox. With Outblaze
claiming at least 3.5 million users, this is a very serious issue.
The scary thing is that you don't even need to send Javascript or
really even html to get this to work. Outblaze will conveniently
convert any URL in your text message to clickable hotlinks for
you. All you really need to do is create some sort of hyperlink
that someone would want to click on. With a little creativity,
that isn't that difficult. In fact, if you do want to use html,
they really don't have to click on anything at all. You could
simply put the link back to your site as an IMG SOURCE tag. So
even if you have Javascript disabled in your browser, just
viewing a malicious e-mail can give anyone full access to your
account. And of course, they don't filter out Javascript so if
you really want to get tricky you can embed some script and do all
sorts of fancy things. Cross-site scripting comes to mind here.
But, it gets much worse. You don't even have to view the e-mail
message to be vulnerable. A properly constructed subject line
with the appropriate html tags can give someone access to your
account without you even reading their e-mail. All you have to
do is look at your inbox. Normally, if you get an e-mail you
don't trust, you can just delete it without reading it. But in
this case, just having the message in your inbox is enough. And
if you do see a message with a malicious subject in your inbox,
its already too late. It is pretty cool to be able to put a
picture and hyperlinks in the subject of your e-mail, but that
capability moves this threat from serious to critical.
Now in testing all of this, '.sozni' was relieved to see that
Outblaze has an impressive feature that shows the details of your
previous login on your welcome page. And if you click on it, you
can view a complete login history for your account. One would
thought that although there is this big vulnerability, you would
at least know if an intruder had been in your inbox. However,
after close inspection, you will realize that when you hijack an
existing session, the access is never logged at all. The log
entry seems to be created by the login authentication script and
since we are bypassing the login script our connection is never
logged. The result is that not only do we not know of an
intrusion, but we have a false sense of security because all we
see in the login history is our own ip address.
Here is a partial listing of Outblaze-powered serves, but
searching for "Powered by Outblaze" on an internet search engine
would reveal more:
Amuro.net joinme.com startvclub.com
boardermail.com jpopmail.com surfy.net
bsdmail.com keromail.com taiwan.com
dbzmail.com kittymail.com uumedia.com
doramail.com mailasia.com uymail.com
fastermail.com mailpokemon.com webcity.ca
gigileung.org marchmail.com windrivers.net
glay.org norikomail.com wongfaye.com
grabmail.com otakumail.com yyhmail.com
graffiti.net outblaze.net linuxmail.org
gravity.com.au outblaze.org
hackermail.com pokemonpost.com
i-p.com pokepost.com
isleuthmail.com samilan.net
jaydemail.com searcheuropemail.com
SOLUTION
Really, there is no fix until Outblaze changes their method for
authentication. You can disable Javascript which will protect you
some, but someone can still easily get access to your account.
You can make sure you don't save sensitive messages on public
servers. Oh, and you could use a text-based web browser to access
your account, such as Lynx or even Sam Spade. Finally you could
unplug your computer and not use the internet at all.