Remote vulnerabilies in the popular free email software Outblaze
5df78eeac0f105290b292936d7e3625d27b887b8dc7cbd37aa936f63bb2db1d7<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Alert: Multiple
vulnerabilities with Outblaze-based e-mail providers </title>
</head>
<body>
<address>
<b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Alert:<span style="mso-spacerun: yes"> </span>Multiple
vulnerabilities with Outblaze-based e-mail providers<o:p>
</o:p>
</span></b>
</address>
<address>
<b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Date:<span style="mso-spacerun: yes"> </span>February
16, 2000<o:p>
</o:p>
</span></b>
</address>
<address>
<b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Author: .sozni<o:p>
</o:p>
</span></b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
</span>
</address>
<hr>
<p class="MsoPlainText"><b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Overview</span></b></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">By using authentication strings in the URL after logging
in to a mailbox, Outblaze-powered e-mail accounts are left vulnerable to
unauthorized access.<span style="mso-spacerun: yes"> </span>Anyone who
discovers that string before a login session expires can gain full access to any
Outblaze-powered e-mail account.<span style="mso-spacerun: yes"> </span>By
including HTML tags in an e-mail message, one can easily obtain the
authorization string for a login session.<span style="mso-spacerun: yes"> </span>HTML
can also be embedded within a subject so that the victim need not even view the
e-mail to be vulnerable.<span style="mso-spacerun: yes"> </span>Hijacked
login sessions are not recorded in the login history.<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Outblaze-powered e-mail servers are also vulnerable to
embedded Javascript and cross-site scripting exploits in both the message body
as well as the message subject. <o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> </span></p>
<p class="MsoPlainText"><b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Description:<o:p>
</o:p>
</span></b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">I was recently setting up an e-mail account with one of
the many free e-mail providers.<span style="mso-spacerun: yes"> </span>After
creating my account and logging in, the url in the address bar caught my eye.<span style="mso-spacerun: yes">
</span>The URL was as follows:<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">http://www.TheFreeProviderIused.org/scripts/common/outblaze.main?welcome&sozni&aaWaFwF60aqFc<o:p>
</o:p>
</span><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">The first parameter was obviously my login but the second
parameter looked suspiciously like a DES-encrypted password.<span style="mso-spacerun: yes">
</span>At first thought I determined that passing the password hash over the
wire isn't really the most secure way of authenticating.<span style="mso-spacerun: yes">
</span>However, its still better than basic HTTP authentication. But after
thinking about it a bit I realized that since my password was part of the URL,
it was also going to show up in my internet cache and history as well as any
proxy server logs I use along the way.<span style="mso-spacerun: yes"> </span>All
someone would have to do is copy the URL and then run it through something like
John the Ripper.<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">So I created a text file containing the text
"sozni:aaWaFwF60aqFc", added my password to my wordlist (otherwise it
would take 3 months to crack it), then ran john the ripper on it.<span style="mso-spacerun: yes">
</span>As I sat there staring at a blank DOS prompt, I suspected that I was
wrong in my suspicion. Surely, john should have cracked it by now.<span style="mso-spacerun: yes">
</span>But then something occurred to me.<span style="mso-spacerun: yes"> </span>Whatever
that encrypted string was, it must be some sort of authentication.<span style="mso-spacerun:
yes"> </span>And since it was actually part of the URL, I really didn't
have to know what it was, all I really had to do was just send it exactly as it
was.<span style="mso-spacerun: yes"> </span>So I closed all my browser
sessions, deleted all my cookies, and then pasted the URL I saved into a new
browser window.<span style="mso-spacerun: yes"> </span>Sure enough, I was
dropped to my inbox without having to logon.<span style="mso-spacerun: yes">
</span>So I went over to another pc, fired up the browser, pasted the URL and
once again I was at my inbox--no login prompt at all. Just to double-check, I
had a friend from Europe try the url and he too was dropped into my inbox.<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">So at this point I see that we have a big problem.<span style="mso-spacerun: yes">
</span>Anyone who has access to my browser history or cache, has access to any
proxy server logs, or who sniffs somewhere on my wire will be able to get into
my e-mail account.<span style="mso-spacerun:
yes"> </span>And although that is a big risk, I still have a little
comfort in knowing that anyone who would be in any of those positions I could
presumably trust not to read my e-mail, right?<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">However, it does get worse.<span style="mso-spacerun: yes">
</span>I wondered what would happen if I sent myself an html e-mail that
included a link to my web site.<span style="mso-spacerun: yes"> </span>I
sent myself such an e-mail, then checked my Outblaze-powered inbox and followed
the link on the message.<span style="mso-spacerun: yes"> </span>A quick
look at my server logs revealed that the HTTP_REFERRER variable contained a url
similar to the one I showed above.<span style="mso-spacerun: yes"> </span>In
other words, a login and authentication string to get into my inbox.<span style="mso-spacerun: yes">
</span>The bottom line here is that if you send someone an e-mail with a link to
a site where you track HTTP_REFERRER, you can get into as many mailboxes as you
want.<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">The issue here is that Outblaze doesn't seem to keep
track of sessions via cookies nor does it use HTTP authentication.<span style="mso-spacerun: yes">
</span>Therefore anyone with a valid URL that contains the correct login
information can connect directly to your inbox.<span style="mso-spacerun: yes">
</span>With Outblaze claiming at least 3.5 million users, this is a very serious
issue.<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">The scary thing is that you don't even need to send
Javascript or really even html to get this to work.<span style="mso-spacerun: yes">
</span>Outblaze will conveniently convert any URL in your text message to
clickable hotlinks for you.<span style="mso-spacerun: yes"> </span>All you
really need to do is create some sort of hyperlink that someone would want to
click on.<span style="mso-spacerun: yes"> </span>With a little creativity,
that isn't that difficult.<span style="mso-spacerun: yes"> </span>In fact,
if you do want to use html, they really don't have to click on anything at all.<span style="mso-spacerun: yes">
</span>You could simply put the link back to your site as an IMG SOURCE tag.<span style="mso-spacerun: yes">
</span>So even if you have Javascript disabled in your browser, just viewing a
malicious e-mail can give anyone full access to your account.<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">And of course, they don't filter out Javascript so if you
really want to get tricky you can embed some script and do all sorts of fancy
things.<span style="mso-spacerun: yes"> </span>Cross-site scripting comes
to mind here.<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">But, it gets much worse.<span style="mso-spacerun: yes">
</span>You don't even have to view the e-mail message to be vulnerable.<span style="mso-spacerun: yes">
</span>A properly constructed subject line with the appropriate html tags can
give someone access to your account without you even reading their e-mail.<span style="mso-spacerun: yes">
</span>All you have to do is look at your inbox.<span style="mso-spacerun: yes">
</span>Normally, if you get an e-mail you don't trust, you can just delete it
without reading it.<span style="mso-spacerun: yes"> </span>But in this
case, just having the message in your inbox is enough.<span style="mso-spacerun: yes">
</span>And if you do see a message with a malicious subject in your inbox, its
already too late.<span style="mso-spacerun: yes"> </span>I must say that
it is pretty cool to be able to put a picture and hyperlinks in the subject of
your e-mail, but that capability moves this threat from serious to critical.<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Now in testing all of this, I was relieved to see that
Outblaze has an impressive feature that shows the details of your previous login
on your welcome page.<span style="mso-spacerun: yes"> </span>And if you
click on it, you can view a complete login history for your account.<span style="mso-spacerun: yes">
</span>I thought that although there is this big vulnerability, you would at
least know if an intruder had been in your inbox.<span style="mso-spacerun: yes">
</span>However, after close inspection, I realized that when you hijack an
existing session, the access is never logged at all.<span style="mso-spacerun: yes">
</span>The log entry seems to be created by the login authentication script and
since we are bypassing the login script our connection is never logged.<span style="mso-spacerun: yes">
</span>The result is that not only do we not know of an intrusion, but we have a
false sense of security because all we see in the login history is our own ip
address.<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">A note on the encrypted string of the URL, I didn't
really do much research on it at all because I really didn't even have to know
what it represented.<span style="mso-spacerun: yes"> </span>I did notice,
however, that it changes each time you login to your account.<span style="mso-spacerun: yes">
</span>Therefore, rather than being an encrypted password or a password hash, it
is more likely some sort of session authentication.<span style="mso-spacerun: yes">
</span>As far as I can tell, it is a function of the username and the time.<span style="mso-spacerun: yes">
</span>I couldn't use the same string for another inbox, but if I logged into
one account simultaneously from two different browsers I got the same string.<span style="mso-spacerun: yes">
</span>I also know that a login string is valid until it times out.<span style="mso-spacerun: yes">
</span>I am not sure exactly what the timeout is, but I know that it lasts at
least a few hours but not more than a day.<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Wise people learn from the mistakes of others, but when
it comes to internet security, we keep seeing the same mistakes being made over
and over and over.<span style="mso-spacerun: yes"> </span>As soon as
someone comes out with a new internet server daemon, the first thing we do is
try to overflow it.<span style="mso-spacerun: yes"> </span>And usually we
are successful.<span style="mso-spacerun: yes"> </span>When a new
webserver comes out the first thing we do is try to traverse outside the webroot.<span style="mso-spacerun:
yes"> </span>And again usually we are successful.<span style="mso-spacerun:
yes"> </span>Microsoft has already been through all this stuff with
Hotmail, and yet Outblaze is now suffering from the very same problems.<span style="mso-spacerun: yes">
</span>Is it Microsoft's fault for not sharing their wisdom or is it Outblaze's
fault for not learning from the mistakes of others?<span style="mso-spacerun: yes">
</span><o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Some of you may think that getting into someone's e-mail
account is no big deal, but looking at my own inbox I realized that most of the
messages that I save usually contain passwords for other systems, confirmation
of credit card orders, or registration codes for software I have purchased.<span style="mso-spacerun: yes">
</span>In fact, the only reason I ever do save something is because it contains
something important.<span style="mso-spacerun: yes"> </span>Needless to
say, it was a wakeup call for myself that until we make some great progress in
internet security, we should consider our Inbox Public_HTML.</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
<o:p>
</o:p>
<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">The Fix<o:p>
</o:p>
</span></b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Really, there is no fix until Outblaze changes their
method for authentication.<span style="mso-spacerun: yes"> </span>You can
disable Javascript which will protect you some, but someone can still easily get
access to your account.<span style="mso-spacerun: yes"> </span>You can
make sure you don't save sensitive messages on public servers.<span style="mso-spacerun:
yes"> </span>Oh, and you could use a text-based web browser to access your
account, such as Lynx or even Sam Spade.<span style="mso-spacerun: yes"> </span>Finally
you could unplug your computer and not use the internet at all.</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
</span><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""><o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><b><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Vulnerable Providers<o:p>
</o:p>
</span></b></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Here is a partial listing of Outblaze-powered serves, but
searching for "Powered by Outblaze" on an internet search engine would
reveal more:<o:p>
</o:p>
</span></p>
<pre><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> </span><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">Amuro.net<span style="mso-spacerun:
yes"> </span>joinme.com<span style="mso-spacerun: yes"> </span>startvclub.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">boardermail.com<span style="mso-spacerun:
yes"> </span>jpopmail.com<span style="mso-spacerun: yes"> </span>surfy.net<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">bsdmail.com<span style="mso-spacerun:
yes"> </span>keromail.com<span style="mso-spacerun: yes"> </span>taiwan.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">dbzmail.com<span style="mso-spacerun:
yes"> </span>kittymail.com<span style="mso-spacerun: yes"> </span>uumedia.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">doramail.com<span style="mso-spacerun:
yes"> </span>mailasia.com <span style="mso-spacerun:
yes"> </span>uymail.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">fastermail.com<span style="mso-spacerun:
yes"> </span>mailpokemon.com<span style="mso-spacerun: yes"> </span>webcity.ca<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">gigileung.org<span style="mso-spacerun:
yes"> </span>marchmail.com<span style="mso-spacerun: yes"> </span>windrivers.net<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">glay.org<span style="mso-spacerun:
yes"> </span>norikomail.com<span style="mso-spacerun: yes"> </span>wongfaye.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">grabmail.com<span style="mso-spacerun:
yes"> </span>otakumail.com<span style="mso-spacerun: yes"> </span>yyhmail.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">graffiti.net<span style="mso-spacerun:
yes"> </span>outblaze.net<span style="mso-spacerun: yes"> </span>linuxmail.org<o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">gravity.com.au<span style="mso-spacerun:
yes"> </span>outblaze.org<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">hackermail.com<span style="mso-spacerun:
yes"> </span>pokemonpost.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">i-p.com<span style="mso-spacerun:
yes"> </span>pokepost.com<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">isleuthmail.com<span style="mso-spacerun:
yes"> </span>samilan.net<span style="mso-spacerun: yes"> </span><o:p>
</o:p>
</span></pre>
<pre><span style="font-size:8.0pt;mso-bidi-font-size:10.0pt;
mso-fareast-font-family:"MS Mincho"">jaydemail.com<span style="mso-spacerun:
yes"> </span>searcheuropemail.com <o:p>
</o:p>
</span></pre>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> </span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">At this time, Outblaze has been informed of the problem
and (I hope) is working to solve it.<span style="mso-spacerun: yes"> </span>It
is important to note that Outblaze is not the only company vulnerable to this
type of attack.<span style="mso-spacerun: yes"> </span>I have seen
hundreds of sites that use similar authentication methods that would be just as
vulnerable.<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> <o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> <o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">.sozni<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">sozni@usa.net<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> <o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> <o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> <o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho"">Copyright (C)2000 by .sozni, all rights reserved.<span style="mso-spacerun: yes">
</span>Permission is hereby granted to copy or redistribute this advisory
unmodified and in its entirety.<o:p>
</o:p>
</span></p>
<p class="MsoPlainText"><span style="font-family:"Times New Roman";mso-fareast-font-family:
"MS Mincho""> <o:p>
</o:p>
</span></p>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed