[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY10-DAV14C8D4D1AE871B292AB9B4D99A0@phx.gbl>
Date: Mon, 27 Dec 2004 17:35:42 -0800
From: "morning_wood" <se_cur_ity@...mail.com>
To: "Michel Blomgren" <michel.blomgren@...erteam.se>,
<bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: Re: AOL website redirection scripts allow for abuse
i think there is many like this
http://g.msn.com/0AD00014/?http://google.com
http://g.msn.com/0AD00014/?http://example.com
etc etc etc
your examples actually use an on-site URL redir
and i recall some from yahoo as well used extensivly for spam
im quite sure they ( AOL ) knows about this , and is a purpose
built "feature".
my 2 bits,
m.w
----- Original Message -----
From: "Michel Blomgren" <michel.blomgren@...erteam.se>
To: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
Sent: Sunday, December 26, 2004 9:43 AM
Subject: [Full-Disclosure] AOL website redirection scripts allow for abuse
>
> tigerteam.se security advisory - TSEAD-200412-1
> www.tigerteam.se
>
> Advisory: Hole in AOL's redirection scripts allow for abuse.
> Date: Sat Dec 18 02:29:52 EST 2004
> Application: AOL's "redir", "redir.adp", "clickThruRedirect.adp", and
> "frame.adp" scripts.
> Vulnerability: Lack of input filtering allows for redirection abuse.
> Reference: TSEAD-200412-1
> Author: Xavier de Leon <xavier@...erteam.se>
>
>
> SYNOPSIS
>
> http://www.corp.aol.com/whoweare/mission.shtml
>
>
> VULNERABILITY
>
> The scripts in question allow input from external resources without
> validation or filtering of any sort. Thus allowing spammers, phishers,
and
> other potential attackers a greater deceptive advantage.
>
> On another note, it is widely known that AOL utilizes a rating system
> (throttling) on Instant Messages and e-mails based on content;
specifically
> spam. However, with the domain prefix aol.com|.* in the mix, rating
doesn't
> seem to be quite effective. And that enables spammers and phishers access
to
> spread their content around while bypassing certain throttling rates.
>
>
> COMMENT
>
> In an environment where AOL users are being phished constantly via Instant
> Messenger or e-mail, people are being outwitted into giving up sensitive
> credentials by clicking on arbitrary links. This is where the stated
> vulnerabily steps in.
>
> Although the redirection attacker host can be seen from the url itself, it
can
> be easily hex'd. Example:
>
>
http://dynamic.aol.com/cgi/redir?http://%77%77%77%2e%74%69%67%65%72%74%65%61%6d%2e%73%65
> (redirects to www.tigerteam.se)
>
> [ or http://dynamic.aol.com/cgi/redir?http://tigerteam.se ]
>
> >From the example above, one must note that the "http://" protocol text
must be
> included or else the script redirects to "./" (in this case being "/cgi/")
>
> Once redirected, the attacker host will be seen on the address bar.
>
>
> DISCOVERY
>
> Xavier de Leon <xavier@...erteam.se>
>
> While looking randomly through the AOL pages, I spotted a call to the
'redir'
> script. I entered a bogus url and it redirected without any error
messages
> whatsoever.
>
> I searched several search engines (google/vivisimo/yahoo) for pages within
AOL
> which made calls to scripts with 'edir' in their name, and ran into the
> "clickThruRedirect.adp" and "redir.adp" scripts. It turns out they both
had
> the same problem. Upon such results, I began furthur research into the
> situation.
>
>
> EXPLOITATION
>
> http://dynamic.aol.com/cgi/redir?http://www.attacker.com
>
http://aolsvc.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://content.alerts.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
> http://www.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://sinbad.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://www.shopping.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://ht-brands.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://aolreseau.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://phileas.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://publish.groups.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://shop.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://www.aolatschool.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://webcenter.shop.aol.com/ams/clickThruRedirect.adp?0,0,http://www.attacker.com
>
http://findajob.aol.com/ams/clickThruRedirect.adp?0,0x0,http://attacker.com
> http://expressions.aol.com/redir.adp?_dci_url=http://www.attacker.com
> http://www.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://attacker.com
>
http://entertainment.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
> http://redirect.aol.ca/cgi/redir-complex?sid=0&url=http://www.attacker.com
> http://news.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
> http://travel.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
>
http://www.defidumarche.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://shop.aolcanada.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
> http://finance.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
> http://women.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
>
http://www.marketchallenge.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
>
http://www.aol.com.ar/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
> http://www.aol.com.ar/frame.adp?url=http://www.attacker.com
>
> Kudos to the AOL Australia team for using their own redirect script:
> /cgi-bin/redirector.pl which did a good job only accepting keywords that
are
> internally specified and valued to aol.com.au specific urls.
>
>
> ACKNOWLEDGMENTS
>
> I would like to thank the following people in no particular order:
> Michel + all my brothers in p-e and uDc, you know who you are.
>
>
> ABOUT TIGERTEAM.SE
>
> tigerteam.se offers spearhead competence within the areas of vulnerability
> assessment, penetration testing, security implementation, and advanced
ethical
> hacking training. tigerteam.se consists of Michel Blomgren - company owner
(M.
> Blomgren IT Security) and Xavier de Leon - freelancing IT security
consultant.
> Together we have worked for organizations in over 15 countries.
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists