Godaddy Web Service Covert Redirect Security Bugs Based on Google.com
(1) Domain:
godaddy.com
"GoDaddy is a publicly traded Internet domain registrar and web hosting company. As of 2014, GoDaddy was said to have had more than 59 million domain names under management, making it the world's largest ICANN-accredited registrar. It serves more than 12 million customers and employs more than 4,000 people. The company is known for its celebrity spokespeople, Super Bowl ads and as being an online provider for small businesses. In addition to a postseason college football bowl game, it sponsors NASCAR. It has been involved in several controversies related to security and privacy. In addition to domain registration and hosting, GoDaddy also sells e-business related software and services." (Wikipedia)
(2) Vulnerability Description:
Godaddy web application has a computer security problem. Hacker can exploit it by Covert Redirect cyber attacks.
The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7.
The vulnerability occurs at "redirect.aspx?" page with "&target" parameter, i.e.
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com
(2.1) When a user is redirected from Godaddy to another site, Godaddy will check whether the redirected URL belongs to domains Godaddy's whitelist, e.g.
google.com
apple.com
If this is true, the redirection will be allowed.
However, if the URLs in a redirected domain have open URL redirection vulnerabilities themselves, a user could be redirected from Godaddy to a vulnerable URL in that domain first and later be redirected from this vulnerable site to a malicious site. This is as if being redirected from Godaddy directly.
One of the vulnerable domain is,
google.com
(2.2) Use one of webpages for the following tests. The webpage address is "http://diebiyi.com/articles/". Can suppose that this webpage is malicious.
Vulnerable URL:
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.godaddy.com
POC:
http://img.godaddy.com/redirect.aspx?ci=1161&target=https%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fservice%3Dwise%26continue%3Dhttp%253A%252F%252Fgoogleads.g.doubleclick.net%252Faclk%253Fsa%253DL%2526ai%253DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%2526num%253D0%2526sig%253DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%2526client%253Dca-pub-0466582109566532%2526adurl%253Dhttp%253A%252F%252Fwww.tetraph.com%252Fcontact.html
POC Video:
https://www.youtube.com/watch?v=gS4n825Yx28
Blog Detail:
http://tetraph.blogspot.com/2014/05/godaddy-covert-redirect-vulnerability.html
(3) What is Covert Redirect?
Covert Redirect is a class of security bugs disclosed in May 2014. It is an application that takes a parameter and redirects a user to the parameter value without sufficient validation. This often makes use of Open Redirect and XSS (Cross-site Scripting) vulnerabilities in third-party applications.
Covert Redirect is also related to single sign-on, such as OAuth and OpenID. Hacker may use it to steal users' sensitive information. Almost all
OAuth 2.0 and OpenID providers worldwide are affected. Covert Redirect
can work together with CSRF (Cross-site Request Forgery) as well.
Discover and Reporter:
Jing
Wang, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University
(NTU), Singapore. (@justqdjing)
Related Articles:
http://tetraph.com/security/covert-redirect/godaddy-covert-redirect-vulnerability-based-on-google/
https://twitter.com/tetraphibious/status/559167679353720834
http://tetraph.blog.163.com/blog/static/234603051201444111919171/
http://whitehatpost.lofter.com/post/1cc773c8_706b6bf
http://japanbroad.blogspot.jp/
http://securitypost.tumblr.com/post/119439859067/itinfotech-id-oauth
https://infoswift.wordpress.
http://germancast.blogspot.de/
http://www.inzeed.com/kaleidoscope/covert-redirect/godaddy-covert-redirect-vulnerability-based-on-google/
https://mathfas.wordpress.com/
No comments:
Post a Comment