Type
Domain Hijacking
Release Date
January 23, 2002
Summary
eNom, Inc. is committed to providing excellent Internet domain name services at competitive prices. We are an ICANN accredited registrar. We have been in business for more than three years, specializing in domain name registration and related services.
When you become a member of eNom, you get a user name and a password. With this password and user name you can register domains, transfer domains, change contact informations from the panel. You have two choices when transferring domains with eNom. First one is authorization with Fax. With fax the owner of the domain sends the needed information of the new domain owner, and the transferring begins. The second one is the electronic authorization. The transferring begins with the e-mail sent to the domain owner e-mail on the contact information. In this mail there is a web adress for approval or refusal. When you enter this site you may start the transferring with either pressing the "approve" or "reject" button.
In the mail below <hostmaster@acme.xxx> mail adress is eNom members' mail, it is the mail adress given by the owner of the panel when becoming a member of eNom. The mail sent to the contact person whose domain will be transferred is sent through this mail adress, and persons' or firms title is written. The mail adress is <hostmaster@acme.xxx> in the below mail. And the owner of the panel title is <Acme Inc.>. And the owner of the domain's owner's mail is <domaincontact@example.xxx>. The mail below is the mail sent after the order of transferring.
===============SNIP===============
From: Acme Inc. <hostmaster@acme.xxx>
To: <domaincontact@example.xxx>
Subject: Domain Transfer Request for EXAMPLE.XXX
Dear Customer,
You are receiving this notice because your are listed as one of the contacts
for the
domain name EXAMPLE.XXX.
We have received a request to transfer this domain name to a new registrar,
Acme Inc.
Please click on the following URL link and let us know if you approve
OR disapprove this domain transfer:
PLEASE NOTE: if the link below is broken you will need to copy and paste everything between < > into your browser
<http://www.transfer-approval.com/universal.asp?id=A000000-7D0A-0F60-9000-14005050B010>
The deadline for responding to this request is: Jan 06, 2002.
Thank you for your time and attention regarding this matter.
If you have any questions please reply to this e-mail.
Sincerely,
Acme Inc.
===============SNIP===============
Exploitation
When the domains owner receives the above mail and then whenever he approves it, "almost like every domain resellers" without any "approval" the domain is transffered to the new owner. In this case let's think the domain's mail adress is closed. If the domain contact mail is closed, the sent mail is returned from the mail server. And the problem begins here. The mail sent to the domains contact mail from eNom's, the person who likes to transfer the domains mail is sent through <hostmaster@acme.xxx> but because of it's sent by eNom and if the mail is closed it returns back to <hostmaster@acme.xxx> and in this mail you can find the url sent for refusal or the approval. The person can follow the url and approve this transfer and the required domain will be transferred to eNom. Below you can find an example returned mail.
===============SNIP===============
From: <MAILER-DAEMON@mail.acme.xxx>
To: <hostmaster@acme.xxx>
Hi. This is the qmail-send program at mail.acme.xxx.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<domaincontact@example.xxx>:
209.228.xx.xx does not like recipient.
Remote host said: 550 User unknown
Giving up on 209.228.xx.xx.
--- Below this line is a copy of the message.
Return-Path: <hostmaster@acme.xxx>
Received: (qmail 24061 invoked from network); 20 Jan 2002 11:16:56 -0000
Received: from unknown (HELO acme) (hostmaster@acme.xxx@[217.131.xx.xx])
(envelope-sender <hostmaster@acme.xxx>)
by 195.244.xx.xx (qmail-ldap-1.03) with SMTP
for <domaincontact@example.xxx>; 20 Jan 2002 11:16:56 -0000
Message-ID: <001701c1a1a4$1c209390$0b8883d9@acme>
Reply-To: "Acme Inc." <hostmaster@acme.xxx>
From: "Acme Inc." <hostmaster@acme.xxx>
To: <domaincontact@example.xxx>
Subject: Domain Transfer Request for EXAMPLE.XXX
Date: Sun, 20 Jan 2002 13:17:55 +0200
Organization: http://www.acme.xxx
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Dear Customer,
You are receiving this notice because you are listed as one of the contacts
for the
domain name EXAMPLE.XXX.
We have received a request to transfer this domain name to a new registrar,
Acme Inc.
Please click on the following URL link and let us know if you approve
OR disapprove this domain transfer:
PLEASE NOTE: if the link below is broken you will need to copy and paste everything between < > into your browser
<http://www.transfer-approval.com/universal.asp?id=A000000-7D0A-0F60-9000-14005050B010>
The deadline for responding to this request is: Jan 06, 2002.
Thank you for your time and attention regarding this matter.
If you have any questions please reply to this e-mail.
Sincerely,
Acme Inc.
===============SNIP===============
Conclusion
As I have explained above, any contact mail closed domains can be transferred through eNom from almost any reseller with this way. Also you can send mails to the domain with 3mb's files constantly and so that the quota can be filled and it'll cause the mails returned and then ask for transferring to eNom. When eNom sends a mail to the contact info it'll return. With this way any domains can be stolen from the owner.
Policy
This vulnerability is explained to the eNom <info@enom.com> mail adress via email at January 21, 2002. It won't be published to the public eye before I receive a mail about correcting this vulnerability. But if I don't get a reply within 4 days, this security notification will be announced without any information to eNom.
Solution
eNom fixed this issue January 21, 2002.
Disclaimer
http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.
Author
Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net