-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 eNom Domain Registration Services Domain Hijacking Vulnerability Type: Domain Hijacking Release Date: January 23, 2002 Summary: eNom, Inc. is committed to providing excellent Internet domain name services at competitive prices. We are an ICANN accredited registrar. We have been in business for more than three years, specializing in domain name registration and related services. When you become a member of eNom, you get a user name and a password. With this password and user name you can register domains, transfer domains, change contact informations from the panel. You have two choices when transferring domains with eNom. First one is authorization with Fax. With fax the owner of the domain sends the needed information of the new domain owner, and the transferring begins. The second one is the electronic authorization. The transferring begins with the e-mail sent to the domain owner e-mail on the contact information. In this mail there is a web adress for approval or refusal. When you enter this site you may start the transferring with either pressing the "approve" or "reject" button. In the mail below <hostmasterat_private> mail adress is eNom members' mail, it is the mail adress given by the owner of the panel when becoming a member of eNom. The mail sent to the contact person whose domain will be transferred is sent through this mail adress, and persons' or firms title is written. The mail adress is <hostmasterat_private> in the below mail. And the owner of the panel title is <Acme Inc.>. And the owner of the domain's owner's mail is <domaincontactat_private>. The mail below is the mail sent after the order of transferring. ==========================SNIP========================== From: Acme Inc. <hostmasterat_private> To: <domaincontactat_private> Subject: Domain Transfer Request for EXAMPLE.XXX Dear Customer, You are receiving this notice because your are listed as one of the contacts for the domain name EXAMPLE.XXX. We have received a request to transfer this domain name to a new registrar, Acme Inc. Please click on the following URL link and let us know if you approve OR disapprove this domain transfer: PLEASE NOTE: if the link below is broken you will need to copy and paste everything between < > into your browser <http://www.transfer-approval.com/universal.asp?id=A000000-7D0A-0F60-9 000-14005050B010> The deadline for responding to this request is: Jan 06, 2002. Thank you for your time and attention regarding this matter. If you have any questions please reply to this e-mail. Sincerely, Acme Inc. ==========================SNIP========================== Exploitation: When the domains owner receives the above mail and then whenever he approves it, "almost like every domain resellers" without any "approval" the domain is transffered to the new owner. In this case let's think the domain's mail adress is closed. If the domain contact mail is closed, the sent mail is returned from the mail server. And the problem begins here. The mail sent to the domains contact mail from eNom's, the person who likes to transfer the domains mail is sent through <hostmasterat_private> but because of it's sent by eNom and if the mail is closed it returns back to <hostmasterat_private> and in this mail you can find the url sent for refusal or the approval. The person can follow the url and approve this transfer and the required domain will be transferred to eNom. Below you can find an example returned mail. ==========================SNIP========================== From: <MAILER-DAEMONat_private> To: <hostmasterat_private> Hi. This is the qmail-send program at mail.acme.xxx. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <domaincontactat_private>: 209.228.xx.xx does not like recipient. Remote host said: 550 User unknown Giving up on 209.228.xx.xx. - - - --- Below this line is a copy of the message. Return-Path: <hostmasterat_private> Received: (qmail 24061 invoked from network); 20 Jan 2002 11:16:56 - - - -0000 Received: from unknown (HELO acme) (hostmasterat_private@[217.131.xx.xx]) (envelope-sender <hostmasterat_private>) by 195.244.xx.xx (qmail-ldap-1.03) with SMTP for <domaincontactat_private>; 20 Jan 2002 11:16:56 -0000 Message-ID: <001701c1a1a4$1c209390$0b8883d9@acme> Reply-To: "Acme Inc." <hostmasterat_private> From: "Acme Inc." <hostmasterat_private> To: <domaincontactat_private> Subject: Domain Transfer Request for EXAMPLE.XXX Date: Sun, 20 Jan 2002 13:17:55 +0200 Organization: http://www.acme.xxx MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Dear Customer, You are receiving this notice because you are listed as one of the contacts for the domain name EXAMPLE.XXX. We have received a request to transfer this domain name to a new registrar, Acme Inc. Please click on the following URL link and let us know if you approve OR disapprove this domain transfer: PLEASE NOTE: if the link below is broken you will need to copy and paste everything between < > into your browser <http://www.transfer-approval.com/universal.asp?id=A000000-7D0A-0F60-9 000-14005050B010> The deadline for responding to this request is: Jan 06, 2002. Thank you for your time and attention regarding this matter. If you have any questions please reply to this e-mail. Sincerely, Acme Inc. ==========================SNIP========================== Conclusion: As I have explained above, any contact mail closed domains can be transferred through eNom from almost any reseller with this way. Also you can send mails to the domain with 3mb's files constantly and so that the quota can be filled and it'll cause the mails returned and then ask for transferring to eNom. When eNom sends a mail to the contact info it'll return. With this way any domains can be stolen from the owner. Policy: This vulnerability is explained to the eNom <infoat_private> mail adress via email at January 21, 2002. It won't be published to the public eye before I receive a mail about correcting this vulnerability. But if I don't get a reply within 4 days, this security notification will be announced without any information to eNom. Solution: eNom fixed this issue January 21, 2002. Disclaimer: http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. Author: Tamer Sahin tsat_private http://www.securityoffice.net Tamer Sahin http://www.securityoffice.net PGP Key ID: 0x2B5EDCB0 Fingerprint: B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0 -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPFV467uLpFMrXtywEQL/zgCfW8jnECf4ZHUwv82ci/BjvFLEbkUAoKeZ IFTlQ3h7pT698Gb1JAouMBJP =kzSY -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 09:49:19 PST