-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== secondmotion-SM-SA-02-02 Security Advisory ===================================================================== Topic: ZoneEdit Account Hijack Vulnerability Announced: 2002-11-05 Updated: 2002-11-05 Tested on: http://www.zoneedit.com Accounts Not affected: Obsoletes: http://www.secondmotion.com ===================================================================== This advisory is based on legitimate use of a ZoneEdit account, during which time the vulnerability detailed below was discovered. This document is subject to change without prior notice. The webmasters of this site were informed of this vulnerability on 05 November 2002. To date, no useable information on protecting against this vulnerability has been received. If anyone reading this is aware of any further information relating to this vulnerability, please contact the authors below or report via BugTraq. I. Background While designing a dynamic dns client to work with ZoneEdit's control panel to be used with one of our domains for the public to have free dynamic DNS hostnames we noticed the bug in the eMail forward section of the ZoneEdit control panel. II. Problem Description By having an account on the ZoneEdit server (which is free), once logged in a user may use the Authorization section of the HTTP header which allows you to access the protected section. A user can issue a mail formed command that will Edit web/eMail forwards or delete eMail forwards. As this is based upon the ID value in the ZoneEdit database, a user is unable to simply select a domain to edit - the user needs to guess an ID. Whilst this is not as insecure as knowing the ID for a domain, it is still possible to utilise the vulnerability in an arbitrary way. III. Impact: ZoneEdit hosts the DNS records for a considerable number of domains. If an individual or group were to code an automated tool to automatically modify all ID values in the database, then thousands of websites could be maliciously forwarded elsewhere and eMail could be redirected to an alternative mail box which would allow the attacker to read private eMails. IV. Solution We can not be certain of a solution at this time since we do not have access to the source code of the ZoneEdit control panel. The IP address section of the control panel seems to be protected from the vulnerability so it's possible the developers have failed to add security into the webforward and eMail forward sections. We strongly recommend the scripts are reviewed ASAP to ascertain why some scripts are protected and some are not. Also, each page should check against the database that the account which is being used is actually allowed access to the page before any of the page/code is executed. V. Contact & Credits matt@secondmotion.com - Matt Thompson [Proof of Concept] paul@secondmotion.com - Paul Smurthwaite VI. Source code Source code has not been published for security reasons as it is a single server problem which controls many other web sites DNS and would result in a mass attack. A Proof of Concept tool can be provided at short notice on request. ===================================================================== - -ends- Matt Thompson - ---- DISCLAIMER & INFORMATION: This e-mail may contain proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must NOT use, disclose, distribute, copy, print, or rely on this e-mail. Any and all file attachments to this message are scanned at source for viruses. This organisation has a strict policy on the transmission of viruses and will not accept ANY excuse for the receipt of viruses here, as a result of which, any message found to contain viruses will be deleted at this mail server WITHOUT being read. Persistent offenders will be banned from sending email to this domain. All messages sent from this domain and its specific accounts are digitally signed using our public PGP keys. This is your guarantee that the email you have received actually originated from our domain. More information on PGP can be found at http://www.pgp.com - ---- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPcfSgRqqCKK1Qd1fEQJvjgCdF8mRaud98hPg6wq0u6CJ2eP+yaYAoKM4 kjPodOWrcGoGBN2GmBHLqqRN =y0B0 -----END PGP SIGNATURE-----
