True, if the domain is using MAIL-TO verification. But if the domain is
password protected, then even changing the reply-to won't work because you
still need to provide the password.
The hole is that you submit the request from a *different* email address,
then NSI just prompts the registrant to confirm the request, *without*
the password protection. It's a backdoor.
-k
On Fri, Jun 02, 2000 at 10:45:17AM -0700, Jason Tarrant wrote:
> Its actually even easier than that. All you have to do is change the reply
> to address in your e-mail program to pretend you are the admin contact for
> the registration. As long as the e-mail address is still valid, or has a
> valid nameserver record that can be verified by your outbound mail server,
> and as long as you have the template and tracking numbers correct it can be
> done.
>
> I have had certain other domain hosts who shall remain nameless, here in
> the Pacific Northwest do that to transfers away from us, and without the
> customer knowing, and voila, I get the nasty phone call Monday morning
> wondering why their domain/e-mail is down due to dns changes we had no idea
> were taking place.
>
> NSI make the INS and the IRS look like efficient, friendly, customer
> service driven agencies.
>
> Long Live Open SRS, and slow, painful, bankrupt death to NSI :)
>
> Jason Tarrant
> Domain Administrator
> InternetCDS
> 1-800-943-4638 xtn. 2330
> 541-773-9600 xtn 2330
> >www.internetcds.com
>
>
> At 11:25 AM 6/2/00 -0600, you wrote:
> >Even using the password facility at NSI is no guarantee.
> >
> >We recently ran into a situation where a domain had been registered by
> >a previous employee. He used the password option instead of MAIL-TO,
> >which was good. But he left the company, and nobody had the password.
> >(yes, bad on our part) Contacting the individual was out, because he had
> >left on somewhat less than ideal terms.
> >
> >Trying to resolve it through the infernal machine that is NSI was futile.
> >So I stumbled onto what I consider a major security hole in the NSI
> >system, although I was glad for it at the time. I sent a modify template
> >to NSI from my email account. Because it wasn't coming from the admin's
> >email account (our previous employee), I got a message back from NSI
> >saying that because I wasn't the admin contact, they were going to email
> >the admin contact for approval. Sure enough, the old employee's account
> >received an email template from NSI, and all I had to do was submit that
> >template from his account with a 'Y' in the proper field.
> >
> >No password necessary.
> >
> >Now granted, you need access to the admin contact's email account to
> >do this, and my use of this hole was completely legitimate, but there
> >are any number of ways to gain access to the admin contact's account.
> >A lot of people are using free email accounts as their contact. Simply
> >wait for the next Hotmail exploit to come out (which may take as long
> >as a week), then hijack away.
> >
> >BTW, I've reported this hole to NSI, and received nothing back. They
> >may know about it, they may not. This was several months ago, so I
> >don't feel bad about publicizing the exploit.
> >
> >-k
> >
> >On Fri, Jun 02, 2000 at 10:52:01AM +0300, Doytchin Spiridonov wrote:
> > > Huh the problem is not so much with NSI but with the owners.
> > >
> > > Personally I think the owner is responsible if he set up MAIL-FROM
> > > authentication because he is lazy to read one or two pages with
> > > explanations.
> > >
> > > And the problem is even bigger - personally I found absolutely
> > > different way of vulnerability, and after I sent an e-mail
> > > to the owner of a domain name that his name could be hijacked
> > > very easy - I didn't get any response - so the owners also don't care.
> > >
> > > Well I hope others will not find the hole I am talking about,
> > > just because the vulnerable service provider couldn't fix it.
> > >
> > > That's why I am laughing every time such thing happens and
> > > how people then give interviews, etc. about how the things
> > > are not secure - but the owners should care more for the
> > > stuff they "own".
> > >
> > > (BTW I had ICQ UIN 53000000 and it was hijacked, too,
> > > and it was my fault - and the fault is that I am not familiar
> > > with the Windows OS. When a domain name is hijacked
> > > in most cases it is the owner's fault, too. And UIN 5300000
> > > is for sale now and I can't do anything because ICQ's
> > > responsiveness is worst that that of NSI :)
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:37 EDT