Alert:  Multiple vulnerabilities with Outblaze-based e-mail providers
Date:   February 16, 2000
Author: .sozni

Overview

By using authentication strings in the URL after logging in to a mailbox, Outblaze-powered e-mail accounts are left vulnerable to unauthorized access.  Anyone who discovers that string before a login session expires can gain full access to any Outblaze-powered e-mail account.  By including HTML tags in an e-mail message, one can easily obtain the authorization string for a login session.  HTML can also be embedded within a subject so that the victim need not even view the e-mail to be vulnerable.  Hijacked login sessions are not recorded in the login history.

Outblaze-powered e-mail servers are also vulnerable to embedded Javascript and cross-site scripting exploits in both the message body as well as the message subject.

 

Description:

I was recently setting up an e-mail account with one of the many free e-mail providers.  After creating my account and logging in, the url in the address bar caught my eye.  The URL was as follows:

http://www.TheFreeProviderIused.org/scripts/common/outblaze.main?welcome&sozni&aaWaFwF60aqFc

The first parameter was obviously my login but the second parameter looked suspiciously like a DES-encrypted password.  At first thought I determined that passing the password hash over the wire isn't really the most secure way of authenticating.  However, its still better than basic HTTP authentication. But after thinking about it a bit I realized that since my password was part of the URL, it was also going to show up in my internet cache and history as well as any proxy server logs I use along the way.  All someone would have to do is copy the URL and then run it through something like John the Ripper. 

So I created a text file containing the text "sozni:aaWaFwF60aqFc", added my password to my wordlist (otherwise it would take 3 months to crack it), then ran john the ripper on it.  As I sat there staring at a blank DOS prompt, I suspected that I was wrong in my suspicion. Surely, john should have cracked it by now.  But then something occurred to me.  Whatever that encrypted string was, it must be some sort of authentication.  And since it was actually part of the URL, I really didn't have to know what it was, all I really had to do was just send it exactly as it was.  So I closed all my browser sessions, deleted all my cookies, and then pasted the URL I saved into a new browser window.  Sure enough, I was dropped to my inbox without having to logon.  So I went over to another pc, fired up the browser, pasted the URL and once again I was at my inbox--no login prompt at all. Just to double-check, I had a friend from Europe try the url and he too was dropped into my inbox.

So at this point I see that we have a big problem.  Anyone who has access to my browser history or cache, has access to any proxy server logs, or who sniffs somewhere on my wire will be able to get into my e-mail account.  And although that is a big risk, I still have a little comfort in knowing that anyone who would be in any of those positions I could presumably trust not to read my e-mail, right?

However, it does get worse.  I wondered what would happen if I sent myself an html e-mail that included a link to my web site.  I sent myself such an e-mail, then checked my Outblaze-powered inbox and followed the link on the message.  A quick look at my server logs revealed that the HTTP_REFERRER variable contained a url similar to the one I showed above.  In other words, a login and authentication string to get into my inbox.  The bottom line here is that if you send someone an e-mail with a link to a site where you track HTTP_REFERRER, you can get into as many mailboxes as you want. 

The issue here is that Outblaze doesn't seem to keep track of sessions via cookies nor does it use HTTP authentication.  Therefore anyone with a valid URL that contains the correct login information can connect directly to your inbox.  With Outblaze claiming at least 3.5 million users, this is a very serious issue. 

The scary thing is that you don't even need to send Javascript or really even html to get this to work.  Outblaze will conveniently convert any URL in your text message to clickable hotlinks for you.  All you really need to do is create some sort of hyperlink that someone would want to click on.  With a little creativity, that isn't that difficult.  In fact, if you do want to use html, they really don't have to click on anything at all.  You could simply put the link back to your site as an IMG SOURCE tag.  So even if you have Javascript disabled in your browser, just viewing a malicious e-mail can give anyone full access to your account.

And of course, they don't filter out Javascript so if you really want to get tricky you can embed some script and do all sorts of fancy things.  Cross-site scripting comes to mind here.

But, it gets much worse.  You don't even have to view the e-mail message to be vulnerable.  A properly constructed subject line with the appropriate html tags can give someone access to your account without you even reading their e-mail.  All you have to do is look at your inbox.  Normally, if you get an e-mail you don't trust, you can just delete it without reading it.  But in this case, just having the message in your inbox is enough.  And if you do see a message with a malicious subject in your inbox, its already too late.  I must say that it is pretty cool to be able to put a picture and hyperlinks in the subject of your e-mail, but that capability moves this threat from serious to critical.

Now in testing all of this, I was relieved to see that Outblaze has an impressive feature that shows the details of your previous login on your welcome page.  And if you click on it, you can view a complete login history for your account.  I thought that although there is this big vulnerability, you would at least know if an intruder had been in your inbox.  However, after close inspection, I realized that when you hijack an existing session, the access is never logged at all.  The log entry seems to be created by the login authentication script and since we are bypassing the login script our connection is never logged.  The result is that not only do we not know of an intrusion, but we have a false sense of security because all we see in the login history is our own ip address.

A note on the encrypted string of the URL, I didn't really do much research on it at all because I really didn't even have to know what it represented.  I did notice, however, that it changes each time you login to your account.  Therefore, rather than being an encrypted password or a password hash, it is more likely some sort of session authentication.  As far as I can tell, it is a function of the username and the time.  I couldn't use the same string for another inbox, but if I logged into one account simultaneously from two different browsers I got the same string.  I also know that a login string is valid until it times out.  I am not sure exactly what the timeout is, but I know that it lasts at least a few hours but not more than a day.

Wise people learn from the mistakes of others, but when it comes to internet security, we keep seeing the same mistakes being made over and over and over.  As soon as someone comes out with a new internet server daemon, the first thing we do is try to overflow it.  And usually we are successful.  When a new webserver comes out the first thing we do is try to traverse outside the webroot.  And again usually we are successful.  Microsoft has already been through all this stuff with Hotmail, and yet Outblaze is now suffering from the very same problems.  Is it Microsoft's fault for not sharing their wisdom or is it Outblaze's fault for not learning from the mistakes of others? 

Some of you may think that getting into someone's e-mail account is no big deal, but looking at my own inbox I realized that most of the messages that I save usually contain passwords for other systems, confirmation of credit card orders, or registration codes for software I have purchased.  In fact, the only reason I ever do save something is because it contains something important.  Needless to say, it was a wakeup call for myself that until we make some great progress in internet security, we should consider our Inbox Public_HTML.

The Fix

Really, there is no fix until Outblaze changes their method for authentication.  You can disable Javascript which will protect you some, but someone can still easily get access to your account.  You can make sure you don't save sensitive messages on public servers.  Oh, and you could use a text-based web browser to access your account, such as Lynx or even Sam Spade.  Finally you could unplug your computer and not use the internet at all.

Vulnerable Providers

Here is a partial listing of Outblaze-powered serves, but searching for "Powered by Outblaze" on an internet search engine would reveal more:

 Amuro.net         joinme.com           startvclub.com         

boardermail.com   jpopmail.com         surfy.net              

bsdmail.com       keromail.com         taiwan.com             

dbzmail.com       kittymail.com        uumedia.com            

doramail.com      mailasia.com         uymail.com             

fastermail.com    mailpokemon.com      webcity.ca             

gigileung.org     marchmail.com        windrivers.net         

glay.org          norikomail.com       wongfaye.com           

grabmail.com      otakumail.com        yyhmail.com            

graffiti.net      outblaze.net         linuxmail.org

gravity.com.au    outblaze.org         

hackermail.com    pokemonpost.com      

i-p.com           pokepost.com         

isleuthmail.com   samilan.net          

jaydemail.com     searcheuropemail.com 

 

At this time, Outblaze has been informed of the problem and (I hope) is working to solve it.  It is important to note that Outblaze is not the only company vulnerable to this type of attack.  I have seen hundreds of sites that use similar authentication methods that would be just as vulnerable.

 

 

.sozni

sozni@usa.net

 

 

 

Copyright (C)2000 by .sozni, all rights reserved.  Permission is hereby granted to copy or redistribute this advisory unmodified and in its entirety.