Security, Programming, Pentesting
by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}
This weekend I received a spam message that wanted to sell me tickets to a comedy show in Louisville, KY. This spam message caught my eye because it made it past Google's spam filters and I'm planning to go to Derbycon in Louisville next week. I decided to explore the link in the email a bit and see what I could find.
The original link sent in the email was this.
http://www.emergingcomics.com/special.php?j=eyJ1IjoiRDk1QUI 0RUQzODAzRjVBOTU3NDJDQzE5NEUzQzEzOTIiLCJpIjoiQU1BWk9OJTIwU0 VTIiwiciI6ImciLCJ0IjoiYUp0Zml0aEhRUHRzUXV0YXRFeHNvSkZ1eEZEb 2h5ZyIsImwiOiJodHRwJTNBJTJGJTJGJTIwZ29vLmdsJTJGQTdYT0pIIiwi diI6IjguNjkuMC4xNjEifQ==&r=0.720967122353613
The first thing I noticed was the base64 encoded data in the "j"
parameter. I decoded the data and got the following JSON object.
{"u":"D95AB4ED3803F5A95742CC194E3C1392","i":"AMAZON%20SES", "r":"g","t":"aJtfithHQPtsQutatExsoJFuxFDohyg","l":"http%3A% 2F%2F%20goo.gl%2FA7XOJH","v":"8.69.0.161"}
Looking at the "l"
key in the JSON object, I decided the special.php page was probably a redirect script so I opened the link using curl -I
to get the headers.
HTTP/1.1 302 Moved Temporarily Date: Mon, 22 Sep 2014 17:37:27 GMT Server: Apache mod_fcgid/2.3.10-dev X-Powered-By: PHP/5.4.31 Location: http://atmst.net/utr64.php?j=eyJ1IjoiRDk1QUI0RUQz ODAzRjVBOTU3NDJDQzE5NEUzQzEzOTIiLCJpIjoiQU1BWk9OJTIwU0VTIiw iciI6ImciLCJ0IjoiYUp0Zml0aEhRUHRzUXV0YXRFeHNvSkZ1eEZEb2h5Zy IsImwiOiJodHRwJTNBJTJGJTJGJTIwZ29vLmdsJTJGQTdYT0pIIiwidiI6I jguNjkuMC4xNjEifQ%3D%3D Content-Type: text/html
Sure enough, the special.php page gave me a 302 response and sent me to atmst.net/utr.php. I also noticed that the base64 data in the "j"
parameter was passed to this new page but was URL encoded.
I again used curl -I
to get the page at atmst.net assuming it was a redirect script as well.
HTTP/1.1 302 Found Server: nginx/1.0.4 Date: Mon, 22 Sep 2014 17:39:29 GMT Content-Type: text/html Connection: keep-alive Keep-Alive: timeout=20 X-Powered-By: PHP/5.2.17 Location: http:// goo.gl/A7XOJH Cache-Control: max-age=259200 Expires: Thu, 25 Sep 2014 17:39:29 GMT
Once again, I've been redirected, this time to the URL referenced in the "l"
key in the base64 encoded JSON object.
After doing a bit of research on atmst.net I found that it is used by AtomPark Software as part of its Atomic Email Tracker software. I'm not sure what all of the keys in the JSON object represent but based on the information here, hxxp://www.massmailsoftware.com/tracker/integration.htm the "u"
key is most likely the MD5 hash of the email address of the user account.
I decided to play around with the parameters a bit and see if all of the parameters were required for the redirect to be successful.
With the exception of the "l"
key, I replaced all of the values in the JSON object with the letter "a." For the "l" key I changed the URL to http%3A%2F%2F%20arbitrary.test so that my JSON object now looked like this.
{"u":"a","i":"a","r":"g","t":"a","l":"http%3A%2F%2F%20arbit rary.test","v":"a"}
I then base64 encoded the JSON object and once again used curl -I
to see what would happen.
curl -I http://atmst.net/utr64.php?j=eyJ1IjoiYSIsImkiOiJhIi wiciI6ImciLCJ0IjoiYSIsImwiOiJodHRwJTNBJTJGJTJGJTIwYXJiaXRyY XJ5LnRlc3QiLCJ2IjoiYSJ9 HTTP/1.1 302 Found Server: nginx/1.0.4 Date: Mon, 22 Sep 2014 17:45:49 GMT Content-Type: text/html Connection: keep-alive Keep-Alive: timeout=20 X-Powered-By: PHP/5.2.17 Location: http:// arbitrary.test Cache-Control: max-age=259200 Expires: Thu, 25 Sep 2014 17:45:49 GMT
This time I was redirected to the URL I chose but I did not have to provide a valid user id. This shows the atmst.net server is an open redirect. Further testing showed that only the "r"
and "l"
keys were required in the JSON object and that it was not necessary to URL encode the target URL.
So if we base64 encode the following JSON object and pass it as the "j"
parameter to atmst.net/utr64.php we will be redirected to google.com
{"r":"g","l":"http://google.com"}
Further research found two other domains run by the same company that are also vulnerable to the open redirect.
atrstat.com
etrstat.com
atmst[1-5].net