Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] AOL website redirection scripts allow for abuse

from [Michel Blomgren] Network Security [Permanent Link]
Subject: [Full-Disclosure] AOL website redirection scripts allow for abuse
Date: Sun, 26 Dec 2004 18:43:03 +0100 

              tigerteam.se security advisory - TSEAD-200412-1
                              www.tigerteam.se

     Advisory: Hole in AOL's redirection scripts allow for abuse.
         Date: Sat Dec 18 02:29:52 EST 2004
  Application: AOL's "redir", "redir.adp", "clickThruRedirect.adp", and
               "frame.adp" scripts.
Vulnerability: Lack of input filtering allows for redirection abuse.
    Reference: TSEAD-200412-1
       Author: Xavier de Leon <xavier@tigerteam.se>


SYNOPSIS

http://www.corp.aol.com/whoweare/mission.shtml


VULNERABILITY

The scripts in question allow input from external resources without
validation  or filtering of any sort. Thus allowing spammers, phishers, and
other potential attackers a greater deceptive advantage.

On another note, it is widely known that AOL utilizes a rating system
(throttling)  on Instant Messages and e-mails  based on content; specifically
spam. However, with  the domain prefix aol.com|.* in the mix, rating doesn't
seem to be quite effective. And that enables spammers and phishers access to
spread their content around while bypassing certain throttling rates.


COMMENT 

In an environment where AOL users are being phished constantly via Instant
Messenger or e-mail, people are being outwitted into giving up sensitive
credentials by clicking on arbitrary links. This is where the stated
vulnerabily steps in.

Although the redirection attacker host can be seen from the url itself, it can
be easily hex'd. Example:

http://dynamic.aol.com/cgi/redir?http://%77%77%77%2e%74%69%67%65%72%74%65%61%6d%2e%73%65
(redirects to www.tigerteam.se)

[ or http://dynamic.aol.com/cgi/redir?http://tigerteam.se ]


From the example above, one must note that the "http://"; protocol text must be

included or else the script redirects to "./" (in this case being "/cgi/")

Once redirected, the attacker host will be seen on the address bar.


DISCOVERY

Xavier de Leon <xavier@tigerteam.se>

While looking randomly through the AOL pages, I spotted a call to the 'redir'
script.  I entered a bogus url and it redirected without any error messages
whatsoever.

I searched several search engines (google/vivisimo/yahoo) for pages within AOL
which made calls to scripts with 'edir' in their name, and ran into the
"clickThruRedirect.adp" and "redir.adp" scripts. It turns out they both had
the same problem. Upon such results, I began furthur research into the
situation.


EXPLOITATION

http://dynamic.aol.com/cgi/redir?http://www.attacker.com
http://aolsvc.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://content.alerts.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://www.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://sinbad.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://www.shopping.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://ht-brands.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://aolreseau.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://phileas.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://publish.groups.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://shop.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://www.aolatschool.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://webcenter.shop.aol.com/ams/clickThruRedirect.adp?0,0,http://www.attacker.com
http://findajob.aol.com/ams/clickThruRedirect.adp?0,0x0,http://attacker.com
http://expressions.aol.com/redir.adp?_dci_url=http://www.attacker.com
http://www.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://attacker.com
http://entertainment.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
http://redirect.aol.ca/cgi/redir-complex?sid=0&url=http://www.attacker.com
http://news.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
http://travel.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
http://www.defidumarche.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://shop.aolcanada.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://finance.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
http://women.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com
http://www.marketchallenge.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://www.aol.com.ar/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com
http://www.aol.com.ar/frame.adp?url=http://www.attacker.com

Kudos to the AOL Australia team for using their own redirect script:
/cgi-bin/redirector.pl which did a good job only accepting keywords that are
internally specified and valued to aol.com.au specific urls.


ACKNOWLEDGMENTS

I would like to thank the following people in no particular order:
Michel + all my brothers in p-e and uDc, you know who you are.


ABOUT TIGERTEAM.SE

tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced ethical
hacking training. tigerteam.se consists of Michel Blomgren - company owner (M.
Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant.
Together we have worked for organizations in over 15 countries.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] AOL website redirection scripts allow for abuse, Michel Blomgren <=
Previous by Date:  Re: [Full-Disclosure] And you're proud of this Mike Evanchick?, Jason
Next by Date:  RE: [inbox] Re: [Full-Disclosure] This sums up Yahoo!s securitypolicy to a -T-, Exibar
Previous by Thread:  Re: [Full-Disclosure] And you're proud of this Mike Evanchick?, Jason
Next by Thread:  RE: [inbox] Re: [Full-Disclosure] This sums up Yahoo!s securitypolicy to a -T-, Exibar
Indexes:  [Date] [Thread] [Top] [All Lists]