Re: Anyone can take over virtually any domain on the net...

[bmueller () CREOTECH COM (Brian Mueller)]

Just some FYI,

The ID number that network solutions uses in it's submission forms is used
ONLY if you

A)  Have a problem and need to contact them via email about a specific
transfer, etc.
b)  You have a problem and need to call them personally.

What I mean is the contact number is used ONLY to lookup instances in their
database (i.e. it's an ID number assiciated with an event) it is not used in
any way for validation purposes, it never was used for validation purposes,
and in its current form it never should be used for validation purposes.

On another note, isn't it about time to kill this thread?  What more can be
said (other than examples?)

Brian

*************************************************
Brian Mueller
President/CEO
CreoTech
"We are the future"
www.creotech.com
bmueller () creotech com
513.722.8645
*************************************************
----- Original Message -----
From: <BUGTRAQ () ROZZ COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Friday, January 14, 2000 10:26 AM
Subject: Re: Anyone can take over virtually any domain on the net...

> I didn't think you could spoof a domain registration change so easily;
> looking at this post: "http://www.sans.org/y2k/123199-1305.htm";, It
> says:
>
> "This is the Domain Name Registration Agreement you recently created. In
> order to complete this modification,
>     YOU MUST E-MAIL THIS FORM TO: hostmaster () networksolutions com
> After you e-mail this form, you should receive an auto-reply with a
> tracking number. You must use that number in the Subject of any future
> messages you send regarding this registration action. Once this
> registration action is completed you will receive a notification via
> e-mail."
>
> This confims what I always thought; that there was a unique number in
> the response that was needed for the ACK. You know- it is similar to
> when you subscribe to an email mailing list and they request an ACK and
> the ACK has to have a unique number in it. Those email messages you get
> from Network Solutions have a funny number in the subject line- I
> thought it was used as follows:
>
> For a domain alteration, I thought it was that
> 1) Hostmaster/Domain owner sends Change Request -->
> 2) NSolutions gets Change Request <--
> 3) NSolutions sends Ack Request w/ unique confimation number -->
> 4) Hostmaster gets Ack Request w/ unique confimation number <--
> 5) Hostmaster must send Ack Reply w/ unique confimation number -->
> 6) NSolutions gets Ack Reply, and checks that the unique identifier to
> confirm it was a true response to the Ack Request. <--
>
> I didn't think that the change would go through unless the Ack Reply had
> that unique number.
>
> Now, that being said, I always had in my mind a way to do the spoof
> anyway, because the numbers in the Internic email messages always looked
> like they were generated with the time/date and some sequential number,
> and there didn't seem to be anything random in them.
>
> So I'll mention how I figured you could go a step further to engineer a
> working spoof.
>
> 1) Start with two or three domains that you have ownership of,
> MyOne.com, MyTwo.COM and MyThree.COM, TakeOver.com (TakeOver.com is the
> domain you want to capture DNS of)
>
> 2) Send an update for the domains in this order:
>  MyOne.COM
>  MyTwo.COM
>  TakeOver.COM <--the one you want to alter.
>  MyThree.COM
>
> 3) I figured that if you send the updates at a low traffic time (5AM?)
> and send them immediately after one another...
>
> 4) You will get ACK requests for the ones that belong to you. The change
> request for TakeOver.COM didn't come to you, but I figured that you
> could look at the # in the header of your three and interpolate the
> needed value for the ACK to change TakeOver.COM
>
> But if the number doesn't really matter, then I guess I was thinking too
> hard...
>
> I thought this up a few years ago, but never had the time to give it a
> try.
>
> -Rozz
>
> > -----Original Message-----
> > From: Jonah Benton [mailto:Jonah () mamamedia com]
> > Sent: Thursday, January 13, 2000 3:50 PM
> > To: Adrian Goins; 'rosner () rozz com'
> > Subject: FW: Anyone can take over virtually any domain on the net...
> >
> >
> >
> > Either of you hear about this? I thought there were tracking
> > numbers in that
> > email dialogue...
> >
> > -----Original Message-----
> > From: Thomas Reinke [mailto:reinke () E-SOFTINC COM]
> > Sent: Wednesday, January 12, 2000 12:27 AM
> > To: BUGTRAQ () SECURITYFOCUS COM
> > Subject: Anyone can take over virtually any domain on the net...
> >
> >
> > Wired recently ran an article on the fact that someone
> > recently hijacked a number of domains in the Network
> > Solutions database using email spoofing.
> >
> > At first I thought this had to be a joke. After thinking
> > about it, I realized that its no joke at all, and in
> > fact quite easy to do.
> >
> > Step 1: Send a spoofed email to Network solutions requesting
> >         a DNS change to your own DNS server.
> >
> > Step 2: Wait for a short while (the amount of time it normally
> >         takes Network Solutions to send out a confirmation
> >         email request)
> >
> > Step 3: Send a second spoofed email confirming the request.
> >
> > Step 4: Have your DNS server serve the new web server address
> >         from a new webserver with your own content.
> >
> > Network Solutions rep quoted in the wired article:
> >
> >      "O'Shaughnessy pointed out that Network
> >       Solutions offers more secure services.
> >       Most accounts will not need the extra
> >       security he said, but in the age of
> >       e-commerce and more vital Web services,
> >       the onus is on the registrant to see that
> >       his domain is secure."
> >
> > Doesn't take too much rocket science to point out that other
> > than the obvious flaws in insecure email, the fact that
> > confirmations to make domain changes do not carry any
> > sort of tracking number make it possible for spoofed email
> > to confirm illegitimate requests.  I think it might be
> > appropriate for Network Solutions to add at least THAT
> > much reliability into their confirmation scheme so that
> > that kind of change couldn't occur in the future...
> >
> > BTW, Network Solution's instructions on changing the
> > scheme to a userid and password based system doesn't
> > work very well. We've attempted on several occasions
> > to do this with no luck...thereby forcing on us the guardian
> > scheme :(
> >
> > Cheers, Thomas
> > --
> > ------------------------------------------------------------
> > Thomas Reinke                            Tel: (905) 331-2260
> > Director of Technology                   Fax: (905) 331-2504
> > E-Soft Inc.                         http://www.e-softinc.com