attrition.2000-02-21.bigmailbox Thu Feb 10 10:57:57 CST 2000 Vendor: BigMailBox.com Platform: All Attrition's Little Errata Report Team -<) A . L . E . R . T (>- ----------------------------------------------------------------- This advisory reports a recently-discovered security issue. It may contain a workaround or information on where to obtain an appropriate patch. Advisories should be considered urgent as these notices are written only when the likelihood of wide impact is determined by the Attrition staff. An HTML version of this and other advisories can be found at Attrition.Org at http://www.attrition.org/security/ ----------------------------------------------------------------- BigMailBox.com href tokens leave mailboxes open to control by a malicious site AFFECTED SYSTEMS --------------------------------------------------------------------------- - Users of the BigMailBox.com email - Users of freemail systems run by BigMailBox.com STATUS --------------------------------------------------------------------------- BigMailBox.com was notified of the problem on Fri, 11 Feb 2000. After additional testing and verification, staff of BigMailBox.com patched the vulnerability on Mon, 14 Feb 2000. BACKGROUND --------------------------------------------------------------------------- BigMailBox.com (http://www.bigmailbox.com) offers free Web-based email services with the site's domain name. BigMailBox.com also offers individual email accounts through the portal site www.gohip.com (http://www.gohip.com). We were able to find over 100 domains using BigMailBox.com to host their email services, including, Antionline (http ://www.antionline.com), Teen Zone (http://www.teenzone.com), Anonymous.to (http://www.anonymous.to), CashPile (http://www.cashpile.com), and TeamsterNet (http://www.teamster.net). As can be seen from this list, most of these are smaller portal sites using free email for repeat traffic. BUG REPORT --------------------------------------------------------------------------- As we browse the web, client programs such as Netscape and Internet Explorer forward a variable from one web server to another based on hyperlinks. This variable is called an HREF. It contains the URL of the site that referred the user to another server. When the web visitor clicks on a hyperlink, the HREF variable is forwarded to the next server, where it appears in the access logs. Looking at a sample entry of an access log: your.machine.com - - [10/Feb/2000:22:34:30 -0700] "GET /index.html HTTP/1.0" 200 48797 "http://remote.site.com/" "Mozilla/4.7 [en] (Win98; I)" This shows that your.machine.com requested a web page "/index.html" on the server, and that you found this link from a web page hosted on remote.site.com. BigMailBox.com uses a session token to manage access to the mail box. This session token tells the system that a user is logged in and accessing mail. When the user logs out, the session token is automatically expired, forcing the user to log in which generates a fresh token. Without logging out, this token defaults to expire one hour after initial login. Unfortunately, this session token is forwarded to a web site via the HREF variable if a link is followed from an email message. With this valid session token, users reading these logs can use the information to log into the BigMailBox.com web email accounts without authentication. Several factors contribute to this being a serious problem. * Many systems keep access logs world readable, so that any system user could glean the session key from the logs. * Because of the standard format of the URL required to access the email, it is trivial to construct a valid URL along with a current session token allowing a third party to view the mail box. * BigMailBox.com's web based mail client automatically converts all URL's into hotlinks to the site. * With the knowledge of the above, a third party can send the user mail with a specific URL, encouraging them to visit a site where the session token could be read. THE ATTACK 1. A potential attacker sends the target a piece of e-mail with a 'bait' URL, in hopes of prompting them to follow the link. For example, sending mail to victim@antionline.org with a URL for them to visit: http://www.myserver.com/visit/me.html 2. BigMailBox receives the e-mail and converts the URL into a clickable hotlink. The victim reads the e-mail and follows the link with a single click. 3. www.myserver.com records the hit to its access_log where the attacker is waiting. The attacker views the HREF of the entry: http://mail12.bigmailbox.com/users/antionlineorg/mail.cgi?act =viewPP=root/&fol=Inbox&mid=s00000006&mn=2&tm=2&st=A&sf =2&un=victim&uid=BVZkfObYaz4BZUXWkxPz2ZAvt Using the HREF, the attacker extracts the e-mail account name designated by "un=" (UserName). In the example above: victim Looking closely at the end of the HREF, the attacker extracts the last field designated by "uid=", which is the current session token. In this example, the session token is: BVZkfObYaz4BZUXWkxPz2ZAvt 4. Using the two fields, the attacker crafts a new URL: http://mail12.bigmailbox.com/users/antionlineorg/go.cgi?act =list&fol=InboxPP=root&un=victim&uid=BVZkfObYaz4BZUXWkxPz2ZAvt Putting this into their own browser, they can bypass the login procedure and access the web based e-mail account unchallenged. >From this point, the attacker wields full control over the account and may do a number of things: * Send mail to anyone as the legitimate user * Read and manipulate any mail already received * Change the default timeout from one hour to three hours * Modify user account information RECOMMENDED ACTIONS --------------------------------------------------------------------------- Never click on a URL sent to you via e-mail to any BigMailBox.com email account. Instead, cut and paste the URL into your browser to visit a site. Contact BigMailBox and complain about shoddy and insecure e-mail access. RANT --------------------------------------------------------------------------- How many times must the security community point out trivial vulnerabilities like this? Worse, that 'security' and 'privacy' oriented sites like AntiOnline and Anonymous.to would utilize such insecure third party servers without testing or auditing them to maintain a reasonable level of security. CREDITS --------------------------------------------------------------------------- ADVISORY: Authored by Munge and Jericho VULNERABILITY: Found by Mcintyre CONTACT INFORMATION --------------------------------------------------------------------------- Questions regarding this advisory or information regarding new advisories and potential vulnerabilities should be directed to ALERT using one of the following methods: E-Mail: alert@attrition.org WWW : http://www.attrition.org/security/attrition.html The ALERT PGP Public Key (PGP v2.6.2, RSA) is available at: http://www.attrition.org/security/advisory/attrition/pubkey.txt