eNom Domain Registration Services Domain Hijacking Vulnerability

["Tamer Sahin" <ts () securityoffice net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

eNom Domain Registration Services Domain Hijacking Vulnerability

Type:

Domain Hijacking

Release Date:

January 23, 2002

Summary:

eNom, Inc. is committed to providing excellent Internet domain name
services at competitive prices. We are an ICANN accredited registrar.
We have been in business for more than three years, specializing in
domain name registration and related services.

When you become a member of eNom, you get a user name and a password.
With this password and user name you can register domains, transfer
domains, change contact informations from the panel. You have two
choices when transferring domains with eNom. First one is
authorization with Fax. With fax the owner of the domain sends the
needed information of the new domain owner, and the transferring
begins. The second one is the electronic authorization. The
transferring begins with the e-mail sent to the domain owner e-mail
on the contact information. In this mail there is a web adress for
approval or refusal. When you enter this site you may start the
transferring with either pressing the "approve" or "reject" button.
In the mail below <hostmaster () acme xxx> mail adress is eNom members'
mail, it is the mail adress given by the owner of the panel when
becoming a member of eNom. The mail sent to the contact person whose
domain will be transferred is sent through this mail adress, and
persons' or firms title is written. The mail adress is
<hostmaster () acme xxx> in the below mail. And the owner of the panel
title is <Acme Inc.>. And the owner of the domain's owner's mail is
<domaincontact () example xxx>. The mail below is the mail sent after
the order of transferring.

==========================SNIP==========================
From: Acme Inc. <hostmaster () acme xxx>
To: <domaincontact () example xxx>
Subject: Domain Transfer Request for EXAMPLE.XXX

Dear Customer,

You are receiving this notice because your are listed as one of the
contacts for the
domain name EXAMPLE.XXX.

We have received a request to transfer this domain name to a new
registrar, Acme Inc.
Please click on the following URL link and let us know if you approve
OR disapprove this domain transfer:

PLEASE NOTE: if the link below is broken you will need to copy and
paste everything between < > into your browser

<http://www.transfer-approval.com/universal.asp?id=A000000-7D0A-0F60-9
000-14005050B010>

The deadline for responding to this request is: Jan 06, 2002.

Thank you for your time and attention regarding this matter.
If you have any questions please reply to this e-mail.

Sincerely,
Acme Inc.
==========================SNIP==========================

Exploitation:

When the domains owner receives the above mail and then whenever he
approves it, "almost like every domain resellers" without any
"approval" the domain is transffered to the new owner. In this case
let's think the domain's mail adress is closed. If the domain contact
mail is closed, the sent mail is returned from the mail server. And
the problem begins here.  The mail sent to the domains contact mail
from eNom's, the person who likes to transfer the domains mail is
sent through <hostmaster () acme xxx> but because of it's sent by eNom
and if the mail is closed it returns back to <hostmaster () acme xxx>
and in this mail you can find the url sent for refusal or the
approval. The person can follow the url and approve this transfer and
the required domain will be transferred to eNom. Below you can find
an example returned mail.

==========================SNIP==========================
From: <MAILER-DAEMON () mail acme xxx>
To: <hostmaster () acme xxx>

Hi. This is the qmail-send program at mail.acme.xxx.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<domaincontact () example xxx>:
209.228.xx.xx does not like recipient.
Remote host said: 550 User unknown
Giving up on 209.228.xx.xx.

- - - --- Below this line is a copy of the message.

Return-Path: <hostmaster () acme xxx>
Received: (qmail 24061 invoked from network); 20 Jan 2002 11:16:56
- - - -0000
Received: from unknown (HELO acme)
(hostmaster () acme xxx@[217.131.xx.xx]) (envelope-sender
<hostmaster () acme xxx>)
          by 195.244.xx.xx (qmail-ldap-1.03) with SMTP
          for <domaincontact () example xxx>; 20 Jan 2002 11:16:56 -0000
Message-ID: <001701c1a1a4$1c209390$0b8883d9@acme>
Reply-To: "Acme Inc." <hostmaster () acme xxx>
From: "Acme Inc." <hostmaster () acme xxx>
To: <domaincontact () example xxx>
Subject: Domain Transfer Request for EXAMPLE.XXX
Date: Sun, 20 Jan 2002 13:17:55 +0200
Organization: http://www.acme.xxx
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Dear Customer,

You are receiving this notice because you are listed as one of the
contacts for the
domain name EXAMPLE.XXX.

We have received a request to transfer this domain name to a new
registrar, Acme Inc.
Please click on the following URL link and let us know if you approve
OR disapprove this domain transfer:

PLEASE NOTE: if the link below is broken you will need to copy and
paste everything between < > into your browser

<http://www.transfer-approval.com/universal.asp?id=A000000-7D0A-0F60-9
000-14005050B010>

The deadline for responding to this request is: Jan 06, 2002.

Thank you for your time and attention regarding this matter.
If you have any questions please reply to this e-mail.

Sincerely,
Acme Inc.
==========================SNIP==========================

Conclusion:

As I have explained above, any contact mail closed domains can be
transferred through eNom from almost any reseller with this way. Also
you can send mails to the domain with 3mb's files constantly and so
that the quota can be filled and it'll cause the mails returned and
then ask for transferring to eNom. When eNom sends a mail to the
contact info it'll return. With this way any domains can be stolen
from the owner.

Policy:

This vulnerability is explained to the eNom <info () enom com> mail
adress via email at January 21, 2002. It won't be published to the
public eye before I receive a mail about correcting this
vulnerability. But if I don't get a reply within 4 days, this
security notification will be announced without any information to
eNom.

Solution:

eNom fixed this issue January 21, 2002.

Disclaimer:

http://www.securityoffice.net is not responsible for the misuse or
illegal use of any of the information and/or the software listed on
this security advisory.

Author:

Tamer Sahin
ts () securityoffice net
http://www.securityoffice.net

Tamer Sahin
http://www.securityoffice.net
PGP Key ID: 0x2B5EDCB0 Fingerprint:
B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPFV467uLpFMrXtywEQL/zgCfW8jnECf4ZHUwv82ci/BjvFLEbkUAoKeZ
IFTlQ3h7pT698Gb1JAouMBJP
=kzSY
-----END PGP SIGNATURE-----