[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] [ADVISORY] Scripting Vulnerabilities in Indian Email Providers Put Millions At Risk

To: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] [ADVISORY] Scripting Vulnerabilities in Indian Email Providers Put Millions At Risk
From: S G Masood <sgmasood@xxxxxxxxx>
Date: Wed, 22 Dec 2004 21:58:20 -0800 (PST)

See Attached text.




        
                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail


[ADVISORY] Scripting Vulnerabilities in Indian Email Providers Put Millions At 
Risk
-----------------------------------------------------------------------------------




I. ABSTRACT:

The email services of several big Indian portals are susceptible to scripting 
attacks i.e., malicious code can be embedded by attackers into email messages, 
that, when received by unsuspecting users, can cause harmful effects. The 
services are Rediffmail.com, Indiatimes.com, Sify.com. The combined user base 
of these services runs into millions and all of these users are vulnerable. 
I've known about most of these vulnerabilities for years now and I am now 
releasing them because many are being massively exploited in the wild. All 
attempts to contact the vendors were unfruitful.


II. DESCRIPTION AND IMPACT:

It is possible to embed malicious scripts in an ordinary email to users of 
these services because of certain flaws in their anti-scripting filters. Since, 
these filters are not as robust as the filters used by service providers like 
Yahoo and Hotmail, many more flaws, similar to those detailed here, are 
undoubtedly present in these services. Some of the attacks possible through 
exploitation of these flaws -


1. User names and passwords can be stolen. Spoofed login pages are one of the 
many methods to do so.

2. Webpages belonging to the portals can be spoofed, including the shopping 
cart system.

3. Any action that the legitimate user can take can also be taken by the 
malicious code. Cookies can be stolen.

4. Malicious programs can be executed when combined with browser 
vulnerabilities.

5. Force-feeding websites to users. Spammers, phishers and scammers can 
redirect users to their own pages.

6. A malicious worm can be created which can traverse through the entire user 
base and cause destruction.

7. Users can be locked out of their inboxes. 



III. TECHNICAL DETAILS AND PROOFS OF CONCEPT:


i.Rediffmail(http://rediffmail.com):
-------------------------------------


Rediffmail has the most robust security system among all three. However, it is 
still susceptible to several attacks -

First vuln: Using a &#13 character as demonstrated below -

<input 
style=background-image:url(jav&#13;ascript:alert(document.cookie))>Hello!</input>

Second vuln: This service is also susceptible to a script insertion method 
previously found by 
Greymagic(http://www.greymagic.com/security/advisories/gm005-mc/). This method 
uses the HTML+TIME feature of IE. Here is an example(adapted from the Greymagic 
PoC) - 

<?xml:namespace prefix=t ns=urn:schemas-microsoft-com:time />
<?import namespace=t implementation=#default#time2>
<span><t:set attributeName=innerHTML to="Nuttin &lt;script 
defer&gt;alert(&quot;Alert!&quot;)&lt;/script&gt;" /></span>



ii. Indiatimes Mail(http://email.indiatimes.com):
--------------------------------------------------

Indiatimes email does not have a scripting filter in place. This means all HTML 
tags including scripts can be embedded into the email without any security 
obstacles. Example:

<script>
location.replace("http://google.com";)
</script>


iii. Sify Mail(http://mail.sify.com):
--------------------------------------



First Vuln: Server side filtering code removes everything between and including 
the <script> tags in the message body.

A newline character or a space character before the ">" in <script> and 
</script> evades filtering.


<script >
location.href="http://google.com";
</script >


Second Vuln: There is no filtering in the subject line. Html tags can also be 
inserted into the subject line of the mail which are then interpreted by the 
browser. Even <script> can be inserted.


Interesting - Sending "<!--" in a subject line to a user can lock them out of 
their inboxes.



IV. VENDOR STATUS:

Several unsuccessful attempts have been made to contact the vendors. Emails 
alerts did not receive responses.


V. CREDIT:

The vulnerabilities and PoCs have been discovered by 
S.G.Masood(sgmasood@xxxxxxxxx and sgmasood@xxxxxxxxx) from Hyderabad, India.


VI. DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the 
general public about a security issue. Use this information at your own 
discretion.

In brief, the author is not responsible for any use, misuse, abuse of this 
information. Also, this information is provided "as is" without any warranty of 
any kind. 




*PHEW*

EOF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard
Next by Date: [Full-Disclosure] Insecurity in Finnish parlament (computers)
Previous by thread: [Full-Disclosure] STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard
Next by thread: [Full-Disclosure] WPkontakt message parsing error
Index(es):
- Date
- Thread