Bugtraq mailing list archives

Re: Anyone can take over virtually any domain on the net...

From: Ryan.Russell () SYBASE COM (Ryan Russell)
Date: Thu, 13 Jan 2000 11:22:20 -0800

Step 1: Send a spoofed email to Network solutions requesting
       a DNS change to your own DNS server.

Step 2: Wait for a short while (the amount of time it normally
       takes Network Solutions to send out a confirmation
       email request)

Step 3: Send a second spoofed email confirming the request.

<snip>

Doesn't take too much rocket science to point out that other
than the obvious flaws in insecure email, the fact that
confirmations to make domain changes do not carry any
sort of tracking number make it possible for spoofed email
to confirm illegitimate requests.  I think it might be
appropriate for Network Solutions to add at least THAT
much reliability into their confirmation scheme so that
that kind of change couldn't occur in the future...


Every time I've requested a change, the confirmation comes
back with a bracketed request number in the header, which
consists of a date and a number.  For example, last time I changed
sybase.com, this was the title:

[NIC-990901.4013] Modify Registration SYBASE.COM

I've always assumed that this number was required, and
constitutes the "tracking number" you mention.  Admittedly,
I haven't tried otherwise.

I will say that I have noticed that these numbers used to be
fairly sequential... I've done several changes in a row before.
This is the same problem as TCP sequence prediction, only
easier.

So, if you've found some new wrinkle, I'm not seeing it in
your e-mail... has something changed at NSI?

Also, of course, if you mail can be stolen or sniffed, this
is trivial.

On the same topic... many other NICs are not quite as careful..
I've taken over various sybase.xx domains that my employees
had registered, using dumb e-mail addresses that don't exist
anymore.  Often, this only took one e-mail, and I think many
registrars took my request on faith because it came from
a sybase.com address, and because I'm the contact on the
main sybase.com domain.

                         Ryan

Current thread:

Re: Anyone can take over virtually any domain on the net... Janos Zsako (Jan 13)
- <Possible follow-ups>
- Re: Anyone can take over virtually any domain on the net... Russ Johnson (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Ryan Russell (Jan 13)
- Re: Anyone can take over virtually any domain on the net... Haight, Kristofer (Jan 13)
  - Re: Anyone can take over virtually any domain on the net... Max Vision (Jan 14)
- Re: Anyone can take over virtually any domain on the net... BUGTRAQ () ROZZ COM (Jan 14)
  - Re: Anyone can take over virtually any domain on the net... Bryan Fullerton (Jan 14)
  - Re: Anyone can take over virtually any domain on the net... Homer Wilson Smith (Jan 15)
  - [support_feedback () us-support external hp com: Security Bulletins Digest] Patrick Oonk (Jan 17)
  - Security hole in mail2web web-based emailservice Patrick Oonk (Jan 17)
  - Re: Anyone can take over virtually any domain on the net... Brian Mueller (Jan 17)
- Re: Anyone can take over virtually any domain on the net... root (Jan 14)