lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <924f292805021805487f268540@mail.gmail.com>
Date: Fri, 18 Feb 2005 08:48:11 -0500
From: Jason Frisvold <xenophage0@...il.com>
To: bugtraq@...urityfocus.com
Subject: BizMail 2.1 Spam Exploit


Greetings all,

Over the course of the last few months I've been the victim of
repeated abuses of a web-based form commonly used for customer
requests.  This form can be downloaded here :
http://www.bizmailform.com

This form allowed a hacker to directly call the cgi, forge a referer
url, and, with carefully crafted data, send spam emails without
notifying the admin of the site.  Below is the email I sent to the
author of Bizmail.  He was intially skeptical, but worked with me and
has released a new version, 2.2, which fixes this exploit.

This is my first bugtraq posting, so if anyone has any suggestions on
how to improve future reports, please feel free to email me off-list. 
Thanks!

----

After setting up additional logging and notifications, I was finally
able to determine how this exploit works.

Through reading the code and some general experimentation I was able
to determine that the only required argument for the script is the
email argument.  A simple multi-line message, beginning with a
newline, can be used to re-write the email headers and send spam to
any destination, regardless of the hard-coded send_to addresses.

Because none of the other optional variables are set, no response
messages are sent.  The only hint that someone has abused the script
is information entered into the datafile, if the datafile is enabled.

I had enabled the okurls feature as well.  This feature ensures that
the referer url matches a list of allowed referer urls. 
Unfortunately, the referer is not something that can be trusted, as
this is sent by the browser.  So, this is very easily fooled.  In
fact, the individual(s) that were abusing the script on our system
reported a User-Agent of "Microsoft URL Control - 6.00.8169", which
appears to be some sort of COM/OLE control which can be programmed to
send a specific referer address.

Without the need for programming your own COM/OLE control, there is a
simple way to test this out.  Place the following into an HTML file :

<HTML>
<HEAD> <TITLE>Exploit Test Page</TITLE> </HEAD>
<BODY>
<form action="http://www.example.com/cgi-bin/bizmail/bizmail.cgi"
method="POST" name="Subscribe">
<TEXTAREA rows="5" name="email"></TEXTAREA>
<INPUT TYPE="submit" VALUE="Submit" class="submit">
</FORM> </BODY> </HTML>

In the textbox that pops up, enter in the following (begin by hitting
enter to insert a blank line)

From:joeblow@...mple.com
To:yourvalidemail@...rdomain.com
Subject:Exploit Test
 
This is a test


Click submit.  You'll receive an email from the bizmail script, but
you won't receive the normal contact email.  You can check the .dat
file and see a copy of what you sent.

I believe there's a simple fix for this.  The variable,
$formdata{'email'}, should be checked for invalid characters, such as
carriage returns and line feeds.  In addition, neither the smtp nor
sendmail module should be called if the $MAIN_mail_send variable is
not set.  A subject should probably be required as well.

As per the suggested guidelines of the securityfocus bugtraq list, I
would like to hear back from you within one week.  In the interest of
security, I will be posting details of this exploit to the bugtraq
list after one week if I have not heard back from you.

-- 
Jason 'XenoPhage' Frisvold
XenoPhage0@...il.com


Powered by blists - more mailing lists