Bugtraq mailing list archives
Re: Anyone can take over virtually any domain on the net...
From: Ryan.Russell () SYBASE COM (Ryan Russell)
Date: Thu, 13 Jan 2000 11:22:20 -0800
Step 1: Send a spoofed email to Network solutions requesting a DNS change to your own DNS server. Step 2: Wait for a short while (the amount of time it normally takes Network Solutions to send out a confirmation email request) Step 3: Send a second spoofed email confirming the request. <snip> Doesn't take too much rocket science to point out that other than the obvious flaws in insecure email, the fact that confirmations to make domain changes do not carry any sort of tracking number make it possible for spoofed email to confirm illegitimate requests. I think it might be appropriate for Network Solutions to add at least THAT much reliability into their confirmation scheme so that that kind of change couldn't occur in the future...
Every time I've requested a change, the confirmation comes back with a bracketed request number in the header, which consists of a date and a number. For example, last time I changed sybase.com, this was the title: [NIC-990901.4013] Modify Registration SYBASE.COM I've always assumed that this number was required, and constitutes the "tracking number" you mention. Admittedly, I haven't tried otherwise. I will say that I have noticed that these numbers used to be fairly sequential... I've done several changes in a row before. This is the same problem as TCP sequence prediction, only easier. So, if you've found some new wrinkle, I'm not seeing it in your e-mail... has something changed at NSI? Also, of course, if you mail can be stolen or sniffed, this is trivial. On the same topic... many other NICs are not quite as careful.. I've taken over various sybase.xx domains that my employees had registered, using dumb e-mail addresses that don't exist anymore. Often, this only took one e-mail, and I think many registrars took my request on faith because it came from a sybase.com address, and because I'm the contact on the main sybase.com domain. Ryan
Current thread:
- Re: Anyone can take over virtually any domain on the net... Janos Zsako (Jan 13)
- <Possible follow-ups>
- Re: Anyone can take over virtually any domain on the net... Russ Johnson (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Ryan Russell (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Haight, Kristofer (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Max Vision (Jan 14)
- Re: Anyone can take over virtually any domain on the net... BUGTRAQ () ROZZ COM (Jan 14)
- Re: Anyone can take over virtually any domain on the net... Bryan Fullerton (Jan 14)
- Re: Anyone can take over virtually any domain on the net... Homer Wilson Smith (Jan 15)
- [support_feedback () us-support external hp com: Security Bulletins Digest] Patrick Oonk (Jan 17)
- Security hole in mail2web web-based emailservice Patrick Oonk (Jan 17)
- Re: Anyone can take over virtually any domain on the net... Brian Mueller (Jan 17)
- Re: Anyone can take over virtually any domain on the net... root (Jan 14)