lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 26 Dec 2004 18:43:03 +0100 From: Michel Blomgren <michel.blomgren@...erteam.se> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: AOL website redirection scripts allow for abuse tigerteam.se security advisory - TSEAD-200412-1 www.tigerteam.se Advisory: Hole in AOL's redirection scripts allow for abuse. Date: Sat Dec 18 02:29:52 EST 2004 Application: AOL's "redir", "redir.adp", "clickThruRedirect.adp", and "frame.adp" scripts. Vulnerability: Lack of input filtering allows for redirection abuse. Reference: TSEAD-200412-1 Author: Xavier de Leon <xavier@...erteam.se> SYNOPSIS http://www.corp.aol.com/whoweare/mission.shtml VULNERABILITY The scripts in question allow input from external resources without validation or filtering of any sort. Thus allowing spammers, phishers, and other potential attackers a greater deceptive advantage. On another note, it is widely known that AOL utilizes a rating system (throttling) on Instant Messages and e-mails based on content; specifically spam. However, with the domain prefix aol.com|.* in the mix, rating doesn't seem to be quite effective. And that enables spammers and phishers access to spread their content around while bypassing certain throttling rates. COMMENT In an environment where AOL users are being phished constantly via Instant Messenger or e-mail, people are being outwitted into giving up sensitive credentials by clicking on arbitrary links. This is where the stated vulnerabily steps in. Although the redirection attacker host can be seen from the url itself, it can be easily hex'd. Example: http://dynamic.aol.com/cgi/redir?http://%77%77%77%2e%74%69%67%65%72%74%65%61%6d%2e%73%65 (redirects to www.tigerteam.se) [ or http://dynamic.aol.com/cgi/redir?http://tigerteam.se ] >From the example above, one must note that the "http://" protocol text must be included or else the script redirects to "./" (in this case being "/cgi/") Once redirected, the attacker host will be seen on the address bar. DISCOVERY Xavier de Leon <xavier@...erteam.se> While looking randomly through the AOL pages, I spotted a call to the 'redir' script. I entered a bogus url and it redirected without any error messages whatsoever. I searched several search engines (google/vivisimo/yahoo) for pages within AOL which made calls to scripts with 'edir' in their name, and ran into the "clickThruRedirect.adp" and "redir.adp" scripts. It turns out they both had the same problem. Upon such results, I began furthur research into the situation. EXPLOITATION http://dynamic.aol.com/cgi/redir?http://www.attacker.com http://aolsvc.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://content.alerts.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://sinbad.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.shopping.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://ht-brands.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://aolreseau.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://phileas.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://publish.groups.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://shop.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.aolatschool.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://webcenter.shop.aol.com/ams/clickThruRedirect.adp?0,0,http://www.attacker.com http://findajob.aol.com/ams/clickThruRedirect.adp?0,0x0,http://attacker.com http://expressions.aol.com/redir.adp?_dci_url=http://www.attacker.com http://www.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://attacker.com http://entertainment.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://redirect.aol.ca/cgi/redir-complex?sid=0&url=http://www.attacker.com http://news.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://travel.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://www.defidumarche.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://shop.aolcanada.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://finance.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://women.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com http://www.marketchallenge.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.aol.com.ar/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com http://www.aol.com.ar/frame.adp?url=http://www.attacker.com Kudos to the AOL Australia team for using their own redirect script: /cgi-bin/redirector.pl which did a good job only accepting keywords that are internally specified and valued to aol.com.au specific urls. ACKNOWLEDGMENTS I would like to thank the following people in no particular order: Michel + all my brothers in p-e and uDc, you know who you are. ABOUT TIGERTEAM.SE tigerteam.se offers spearhead competence within the areas of vulnerability assessment, penetration testing, security implementation, and advanced ethical hacking training. tigerteam.se consists of Michel Blomgren - company owner (M. Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant. Together we have worked for organizations in over 15 countries. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists