what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eng-1199.txt

eng-1199.txt
Posted Nov 29, 1999
Authored by set

English Version - Several members of SET have discovered key flaws in the security of ciudad.com.ar, the incorrect configuration of EdgeMail system, used to offer mail services trough web, appears to be the cause. Ciudad.com.ar is an Argentinian portal offering free webmail accounts as well as chat and ICQ-style messaging, over 150.000 accounts could have been compromised. SET homepage here.

tags | web, magazine
SHA-256 | cfa0c4e9da0da0896be536a05c0db4d707d2497f221da6cd6335b602748cfa9a

eng-1199.txt

Change Mirror Download


SET <set-fw@bigfoot.com>
November 1999 http://www.imedia.es/set/us/eng-1199.txt


---[ CONTENTS ]---

- 01 - Introduction
- 02 - Problems found
- 03 - Q&A
- 04 - Conclusions




- 01 ---------------------- Introduction ------------------------

Several members of SET have discovered key flaws in the security of
ciudad.com.ar, the incorrect configuration of EdgeMail system, used to
offer mail services trough web, appears to be the cause.
Ciudad.com.ar is an Argentinian portal offering free webmail accounts as
well as chat and ICQ-style messaging, over 150.000 accounts could have been
compromised.




- 02 ---------------------- Problems found ----------------------

After finding the host responsible for running the service and storing the
data we learn that anyone could:

#1 Read any mail
#2 Hijack accounts
#3 Access the password file
#4 Get POP accounts settings
#5 Determine active users



[#1] Read any mail

By going to a concrete URL it's possible to read any mail stored in the
server without performing any kind of authentication. We'll learn by example:

http://vulnerablesitein.ciudad.com.ar/edgemail/folders/

Will list directory entries for characters [0-9,a-z], every user's mail is
placed in the directory which matches their first username's character
So imagine we'd like to see the mail from user "nosuchuser", we'll go to:

http://vulnerablesitein.ciudad.com.ar/edgemail/folders/n/

And scroll down until we find entries like:

./n/nosuchuser.InBox 4k
./n/nosuchuser.Sent 3k

Clicking on the link will bring us the usual unix-style plain text file with
all the mail for that folder.



[#2] Hijack accounts

While the first problem 'only' let the attacker to read the mail we found that
it's possible to "take over" any existing account, ciudad.com.ar has a 3-step
process to create a new account, the first step checks for the username desired
and returns an error if already exists, the bug lies in the fact that the
actual Perl script called to create the account DOES NOT check if that username
exist, remember step 1 should have take care of it, so if we go to an URL like:


http://vulnerablesitein.ciudad.com.ar/cgi-bin/creawebmail.pl?user=testuser&
pass=anypassword&srvid=1
[Line wrapped for clarity]

We'll have created a new account bypassing the checks (and the personal info
screens :-) )

We can hijack the webmail of nosuchuser@ciudad.com.ar by giving her username
in the user field, note that all folders are _deleted_ when you proceed this
way.



[#3] Access the password file

Over 150.000 passwords were left open for anyone to see, the problem is bigger
if you consider that:

- Most of these passwords are also used in services like ciudad.com.ar's chat
or instant messaging.
- Prima, the owner or ciudad.com.ar, is a national ISP in Argentina, many users
will no doubt have the same password for dial-up, POP and web-mail accounts,
FTP access and so on...

Once determined that the EdgeMail installation was exploitable it is s simple
as:

http://vulnerablesitein.ciudad.com.ar/edgemail/auth/users

This could have permited potential intruders obtaining free, unlimited access
to unsuspecting users accounts, deleting individual pieces of e-mail, forging
messages..etc.



[#4] Get POP accounts settings

It's nice to check the POP account from the browser, and it's nice to integrate
mail from different accounts into one centralized place, but it isn't nice if
you are exposed to have all you accounts compromised at once. As many systems
do EdgeMail allows to check remote accounts and offers the chance of saving
the settings for future sessions, these settings include POP server, POP
username and POP password. EdgeMail saves this info in a database file under
the /data subdirectory, let's go to:

http://vulnerablesitein.ciudad.com.ar/edgemail/data/pops

It's a safe bet to assume that many of these passwords are the same passwords
used for dial-up access and FTP access opening up new accounts in many
differents ISPs.



[#5] Determine active users

Ever wonder if nosuchuser@ciudad.com.ar is online now?. What IP is her using?.
But you know she didn't wanna tell you so...what can we do?. I think you'd
like the EdgeMail active users feature :-). Just type in your browser:

http://vulnerablesitein.ciudad.com.ar/edgemail/active/

It will show up a listing of all the users currently logged with their IP.
An _example_:


adxxx@200.41.229.xxx:+ 15-Jan-99 22:32 0K
adrxx@200.43.37.xxx:00+ 15-Jan-99 22:14 0K
adrixx_xxxxx@200.16.1+ 15-Jan-99 21:45 0K
adrixxxxxx@200.42.16.+ 15-Jan-99 22:31 0K
adrixxxxxxx@24.232.9.+ 15-Jan-99 22:11 0K
adriaxxxxxxx@168.96.1+ 15-Jan-99 22:55 0K
...................... ............... ..
...................... ............... ..




- 03 ----------------- Q&A: Questions and Answers. ----------------


0x01? I'm a user from ciudad.com.ar, what should I do?

Change your password INMEDIATELY, change all the passwords that could have
been compromised, don't forget to check you're not using the same password to
access other services.
Don't worry about your mail, I know it sounds strange, but the admin of ciudad
has already been informed and he would have corrected all the issues by the
time you read this.

0x02? I'm using EdgeMail in my site, am I at risk?

Sorry we can't tell you, our best bet is that this a specific problem of
ciudad.com.ar configuration and not related to EdgeMail. Try the examples
URLs given above, if they work in your site then you are at risk too!

0x03? I'm using (you name it) web mail account, is it secure?.

No system is secure, bugs come and go, you SHOULDN'T use webmail systems to
store or send sensitive information such as financial records, VISA numbers,
passwords..etc. Sadly most people don't know, don't care and one day they
might find out they have learned the hard way.
We repeat, DON'T USE webmail systems (HotMail, YahooMail..etc) to store
anything you don't like anyone to see.
You also should start considering *encrypting* your messages.




- 04 -------------------- Conclusions ---------------------------


Keep calm, if you have an account in ciudad.com.ar you should know that
it's probably safer than ever :->. Pay attention to the advices given
above, use encryption (don't store the keys in the server!!), try to keep
up to date with security news and relax...la vita e bella.


Links:

http://www.ciudad.com.ar -- Ciudad main site
http://www.set-ezine.org -- SET
http://www.edgemail.com -- Edgemail
http://packetstorm.securify.com/mag/set -- Copies of SET Ezine (spanish only!)

Spanish (espanol) version http://www.imedia.es/set/web/set-1199.txt


Feel free to copy and distribute.

SET (c) 1999 .
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close