exploit the possibilities

BWL-00-02.txt

BWL-00-02.txt
Posted May 15, 2000
Authored by Black Watch Labs | Site perfectotech.com

Black Watch Labs Security Advisory #00-02 (March 6, 2000) - Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data. A mail application used by some free mail services employs a weak security scheme. It assigns session-IDs ("tokens") for logged-in users which allow reading of arbitrary users' messages and private information.

tags | arbitrary
MD5 | 5afcf43693f2eba277fc5c2e50a93792

BWL-00-02.txt

Change Mirror Download
   Black Watch Lab - Vulnerabilities

Black Watch Labs ID: BWL-00-02

Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data
Black Watch Labs Security Advisory #00-02 (March 3, 2000)
Name:
Weak Token in Mail.Com Application Allows Compromise of Arbitrary User's Data
Black Watch Labs ID:
BWL-00-02
Date Released:
March 3, 2000
Category:
Application (HTML) - Weak Session Token
Products affected:
Free Web mail services powered by mail.com (two underlying free Web mail applications were identified, and this
vulnerability pertains to only one of them. Services that use the other application are not vulnerable as far as we
know. The free Web mail offered directly by mail.com is not vulnerable)
Number of affected sites/pages/users:
We currently know of two major sites that use this application. It is estimated that the total number of subscribers
to these services is in the order of magnitude of hundreds of thousands.
Summary:
The mail application employs a weak security scheme. It assigns session-IDs ("tokens") for logged-in users which allow
reading of arbitrary users' messages and private information, if enough effort is invested.
Analysis:
The mail service, upon successful login, assigns an encoded session-ID for the user, in the following manner:
1. The mailbox's number (a decimal number consisting of around 8 digits) is concatenated with a colon symbol, and the
current time (in seconds since 01/01/1970, based on the server's clock, 9-10 decimal digits) is appended to it,
reading nnnnnnnn:ttttttttt (where nnnnnnnn is the number of the mailbox, and ttttttttt is the time). This string
will be referred to as the clear session-ID.
2. A base letter is randomly generated, probably in the range A-J.
3. The encoded session-ID consists of the base letter, concatenated with pairs of capital letters, each pair
conforming to a character in the clear session-ID, where this character's ASCII code is represented in two decimal
digits, and these digits are taken as an offset relative to the base letter. For example, if the base letter is A,
then a character "1", whose ASCII code is 49 is represented as EJ, and if the base letter is G and the character
to encode is ":", whose ASCII code is 58, then the encoded representation is LO.

This encoded session-ID identifies the session, and is given back to the user via a cookie (if the user is willing to
accept such one), or as part of the URL. In both cases, the name of the parameter (or the cookie) is "iNAME", e.g.
iNAME=BFKFGGGGHGBGIGHGFGJGIGDGFGIGCGDGFGDGI. In many cases we encountered a situation wherein both the cookie and the
URL trailer were sent to the user.

Apparently, the session is identified by the encoded session-ID, and by it alone. Empirically, the session is not
accessible if one changes the timestamp, the mailbox number, or even the base-letter (of course, re-adjusting the rest
of the string).

The session is alive as long as the user has not logged-out, and the account is not idle for longer than 6 hours.
Therefore, if an attacker gains the encoded-session-ID while the session is still alive, he/she can access all the
information residing in the user account, such as personal information and messages.

The encoded session-ID can be reconstructed statistically (that is, an attacker can generate several candidates, one
of which will be correct) relatively easily. First, the attacker needs to guess (or know beforehand) a mailbox number.
Then, the attacker should estimate when the owner of the mailbox accesses the mailbox (a fair estimate would be once a
day). Next, the attacker needs to know the approximate time on the mail server (easily done if the attacker opens a
valid account there, and decodes the session-ID which contains the server time). Now, in order to gain access to the
mailbox, the attacker needs to write a script that generates for each second of the day, all possible 10 encoded
session-IDs (one per each possible base-letter), and send these to the server (either as a cookie or embedded into a
request URL). If indeed the owner of the mailbox logged-in during the day, then the script will discover it, and as a
final step in the script, it should get all the mailbox info.

In a side note it should be stated that the application does not sanitize HTML and JavaScript when a user of the
application views the body of a mail message sent to him/her. As a result, most of the standard exploits (e.g.
embedding links and Javascripts in various tags) work well and can be used as standalone attacks or in conjunction
with the above vulnerability (e.g. to establish the initial link between email address and mailbox number)
Exploits:
Identifying the vulnerable application can be done by checking whether the suspected application is willing to serve
clients that disallow cookies (only the vulnerable application does that), and that once the user logged-in, the URLs
have the "iNAME=..." trailer. If such is the case, the attack method described above is applicable. Naturally we do
not provide an automated script that implements the attack.
Vendor Status:
Vendors using the mail.com product have been notified as has mail.com.
Vendor Patch or workaround:
Not available at the time of this release.
About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies Inc., the leader in Web Application Security
Management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena
of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained
at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and Web sites. Black
Watch Labs also operates a Web application security mailing list, which can be subscribed to at
http://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security
Management, please call (408) 855-9500 or email BlackWatchLabs@perfectotech.com.

About Perfecto Technologies (http://www.perfectotech.com/)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies pioneered the market for Web
Application Security Management software. AppShield, Perfecto Technologies' flagship product offering, is the first to
provide extreme security for customer-facing applications in dynamic Web site environments. Perfecto Technologies has
customers in many sectors including, banking, retailing, finance, government and healthcare. Privately held, Perfecto
Technologies is funded by blue-chip venture capital firms and industry leaders, including Sequoia Capital, Walden and
Intel Corporation. More information about Perfecto Technologies may be obtained by visiting the Company's Web site at
http://www.perfectotech.com/ or by calling the Company directly at (408) 855-9500.
Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirety,
provided the information, this notice and all other Perfecto Technologies marks remain intact.
Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.
NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
arising out of or in connection with the use or spread of this information. Any use of this information is at the
user's own risk.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    31 Files
  • 8
    Apr 8th
    18 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close