Cached Page Email Exploit A case study
David Teisseire, CISSP In Australia Copyright (c) David Teisseire 2005-2008 In the United Kingdom The right of David Teisseire, CISSP to be identified as the Author of the Work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.
18th March 2005
Version 1.0.4
Page 1 of 8
Background It seemed simple enough. The brief was to organise an email account on the mail server of a community organisation. The organisation in question had provided, up until late 2002, free email services to people using the organisations services. By early 2003, all external email offerings had been removed and only the key players in the organisation still had valid email accounts on their email server. I considered that the brief would fail and the matter would be closed within the hour. The Approach The initial approach consisted of sniffing through the website and another site associated with the parent organisation colocated on the same server. Verifying that new email account facilities were not available for either site, I viewed the source html on a number of pages from both sites. Apart from the usual identification of the code cutter or site administrator, there was one page that had a contact name, address and phone number commented out. Was this a case of sloppy coding or was the code cutter unaware of the implication? If the code cutter had commented out sections of the html code rather than deleted them, was it possible that there might also be references to the email registration page on one of the visible pages? The idea here was to deep link to the registration page from the commented out section of the code. I could not readily see, in the pages that I reviewed, any reference to the email registration page – seems the cutter wasn't so sloppy after all. My next move was to “google” the site with the 'link:' option to display sites that had links to either the parent organisation or the site under review. In this instance both site's links were evaluated. A manageable number of links were identified for both sites. A methodical search of these links was conducted to the targets, in an attempt to locate either a link to, or information about, the email registration process. No such link or information was found. At this point I was prepared to close the brief and write up the findings. It appeared that a casual Internet user could not set up an email account with the organisation without performing some Version 1.0.4
Page 2 of 8
sort of overt attack against the mail server and that scenario was outside the brief for the project. I took time out to have a coffee before writing the report. During this break I redefined what I was trying to achieve in this investigation. There were two distinct investigative issues. Firstly, there was the question as to whether it was possible to create an email account on a mail server that was supposedly closed to new members. Certainly there would be provision for the sysadmin to be able to create, modify and delete accounts, but that was probably behind an administrator password. The fact that the email server was not owned and operated by either the target organisation nor the parent body suggested a possible avenue of creating an email account on the physical email server under another domain name and working from there. This option defeated the object of the brief and was abandoned. The second issue revolved around the actual web pages for the site and their availability for deep linking. I could try guessing the html page name that contained the registration form, but the thought of looking at page after page of “page not found” 404 errors seemed less and less appealing the longer I thought about it. Was there some way to be able to identify the name of the page? Logically the page existed at some time in 2002. Almost certainly every web spider would have visited the pages since that time and thus even the local cache of the page would be of a more current version. The problem then became far more focussed, was there a cached copy of the pages somewhere? Visiting the wayback machine www.archive.org I was able to input the web address of the site under review as shown in figure 1.
Version 1.0.4
Page 3 of 8
figure 1
figure 2
The search of the wayback machine displayed a number of web page images from the period under review as shown in figure 2 below.
I was then able to view any page from those returned by the wayback machine. Of interest was those pages that had an * appended after the spidered date. These indicated when the site was updated. The exercise then became one of viewing the copies of the web page and finding one that still had the email creation facility available. Initially I considered that I would have to extract the email registration address from the html code of the imaged page, but on further consideration I realised that the wayback machine would not have changed the address of the cached pages. This contrasts with locally run applications such as httrack which are capable of imaging a web site locally. Httrack and its like, change the absolute address of the pages to a relative local one. Further investigating a number of other imaged pages on the wayback machine, it became apparent that a fundamental loophole may exist where a site used absolute references in the HREF statements. In the case of the site under consideration although there was a BASE HREF, which was localised for the wayback machine, page references for some of the links were absolute and were not converted. Version 1.0.4
Page 4 of 8
Further impacting this situation was the fact that the web site under consideration was both active and more significantly still had absolute web pages remaining from 2002. The implication here is clear, all unused pages should be removed from the structure regardless. The ability to deeplink to an unused web page should be checked whenever the site is updated. I was able to load the imaged page from the wayback machine site then following the email registration link contained on that imaged page, proceed to secure a valid email account specifically associated with the briefing organisation. In this way the brief was proved, somewhat surprisingly, in the affirmative. Potential exploits The establishment of a valid email account as detailed above poses a number of possible risks to both the organisation under consideration and the Internet community at large. Firstly, there is potential to impersonate a pre-existing account holder. This may be accomplished by either choosing a similar name or by the use of control and/or alt characters in the name string. It is noted however, that many email service providers either restrict or do not recognise these non-printing codes. Increasingly, content providers both free and fee based are requiring a valid email address. Often they specify that free email accounts of the hotmail, gmail and yahoo type, are not acceptable. Persons wishing to subscribe to content will often be reluctant to provide details of their primary email account. Those with less than ethical motives even more so. This form of exploit would allow them to not only set up the email account but also to access it through the same image page. This accessibility aspect would allow the exploiter to respond to any verification email or allow them to obtain an access password from the site. An exploiter could continue to access the organisation's email system via the wayback machine (as in this case) or from a locally saved copy of the access web page. In this regard, even the recommendation of having the image copies removed from the wayback machine may not in itself remove the threat Version 1.0.4
Page 5 of 8
of email account exploitation. Possible legal considerations From a legal and ethical perspective, this case poses a number of difficult questions. The mere existence of a web page that is accessible via a deep link or through a cached archive, although it is unethical, I doubt whether a legal proceeding could be substantiated. There must surely be a question of due diligence on the part of the administrator to take all reasonable precautions to prevent inadvertent access to specific pages of the site. A case could be made that the imaged pages on the wayback machine were confirming the offering of free email services, at least at some point in time. At issue here is whether the organisation ever actually rescinded the offer of free email services? The removal of the signup link may not, in some jurisdictions, constitute valid notification of the remove of the specific service. A review of the home and subsequent pages of the mail service provider for the organisation revealed that one of their services is to provide hosting for organisations to allow individuals to sign up for email under the organisations domain name. In this light it would seem, at present at least, that the email service provider has not advised any change in policy that would impact the organisations right or ability to continue to offer the free email services. Is there then a case to answer in regard to an attempt to steal or defraud either the organisation concerned or the email service provider? Since the organisation is paying for the provision of free (as in free to the end user) email, one could justify the position that one cannot steal or miss-appropriate something that is freely given away to all who register for the free service. The absence of a specific time frame that the offer applied also re-enforces this stance. Could or should an individual be expected to know that the offer of free email services has been rescinded for a specific site hosted by the email service provider? The matter then hinges on the issue of the pathway that the email services were obtained from, that is, via a currently unpublicised link in the target web site. A further issue arises, Version 1.0.4
Page 6 of 8
that a defendant (should the matter come to trial) could claim that the link was an old bookmark that had not been updated or deleted, so once again the burden must substantially go back to the target's administrator. A defendant in this matter could claim that there was no indication anywhere on the site that free email services were no longer available. The defendant could further claim that they were not advised and acted on the assumption that those services were freely available to anybody. Looking at the target web site, there is certainly no indication that those services are no longer permitted. The mere absence of a visible link to sign up or use free email could be interpreted in a number of ways, not all of which suggest a subversive motive. Conclusion and recommendations This brief started out quite simply: to prove or disprove whether it was possible to obtain free email services previously offered on a site but now no longer actively promoted. In the end it has raised a number of issues and potential vulnerabilities that go far beyond the brief's seemingly simple answer. In as far as this matter is concerned, I have in addition to answering the brief, provided a number of recommendations to the site owners as stipulated below; 1. The current home page should specify that free email services are no longer provided to the general Internet using public. 2. All active pages should provide an active link to a page where the withdrawal of the service and its date of implementation are specified. Something in the order of a link titled 'important email notice' or similar. 3. The responsible officer within either the parent organisation or its subsidiary should, as a matter of urgency, delete all non-active pages from the third party server/s. 4. The responsible officer specified above should familiarise him/herself with the material imaged at http://archive.org as it relates to those sites under their care. 5. The responsible officer should periodically check sites directly linking to the domains under their care. Version 1.0.4
Page 7 of 8
6. The responsible officer should periodically check via major or industry/country/special interest search engines the number and details of returned hits using the domain name or organisation name or any of its subsidiaries. 7. In extreme cases the responsible officer should contact the maintainers of the wayback machine and arrange to have the site removed from the archive as detailed at http://www.archive.org/about/faqs.php which states amongst other matters; How can I remove my site's pages from the Wayback Machine? The Internet Archive is not interested in preserving or offering access to Web sites or other Internet documents of persons who do not want their materials in the collection. By placing a simple robots.txt file on your Web server, you can exclude your site from being crawled as well as exclude any historical pages from the Wayback Machine. Internet Archive uses the exclusion policy intended for use by both academic and non-academic digital repositories and archivists. See our exclusion policy. You can find exclusion directions at exclude.php. If you cannot place the robots.txt file, opt not to, or have further questions, email us.
Version 1.0.4
Page 8 of 8