AOH :: HP Unsorted G :: BT-21315.HTM

Gmail vulnerable to automated password cracking



Gmail vulnerable to automated password cracking
Gmail vulnerable to automated password cracking



============================================INTERNET SECURITY AUDITORS ALERT 2009-NNN
- Original release date: July 7th, 2009
- Last revised:  July 17th, 2009
- Discovered by: Vicente Aguilera Diaz
- Severity: 4.5/10 (CVSS Base Score)
============================================
I. VULNERABILITY
-------------------------
Gmail vulnerable to automated password cracking.

II. BACKGROUND
-------------------------
Gmail is Google's free webmail service. It comes with built-in Google
search technology and over 7,300 megabytes of storage (and growing
every day). You can keep all your important messages, files and
pictures forever, use search to quickly and easily find anything
you're looking for, and make sense of it all with a new way of viewing
messages as part of conversations.

III. DESCRIPTION
-------------------------
An existing abuse of functionality in the "Check for mail using POP3"
capability permits automated attacks to the password data of the
accounts of the Gmail users evading the security measures adopted by
Google.

Gmail implements a great number of security controls and, most of them
are not revealed until an attack is conducted or a malicious use of
the account is done. For example:
- Use of catpcha for avoiding automated processes (e.g., in the users
authentication or in the new users sign up).
- Temporary IP locking in case of detecting unusual application
activities (e.g., multiple new account creation requests)
- Temporary account locking in case of detecting unusual use of the
user account (e.g., when doing multiple consecutive request to the
same resource).
- Detection of concurrent access to the account from different
geolocated IP addresses added to the number of these accesses.
- Etc.

Anyway, is it possible to abuse the "Check for mail using POP3"
capability to do attacks to the passwords of the users in an automated
way, evading all referred security restrictions and controls and doing
a transparent and not noticeable attack to the user that its account
is being password cracked as:
- There's no need for required action from the victim.
- There's no modification in the password of the victim.
- There's no locking in the victim account.
- There's no security notification to the victim.

The vulnerability is aggravated due Gmail allows weak passwords to be
used by the users. So, Gmail accepts password using only one character
(e.g. "aaaaaaaa") or dictionary words (e.g. "pentagon" or "computer").

The abuse of this functionality permits an attacker to do thousands of
authentication requests during a day over one user account, so if the
user is using a weak password is a matter of time to guess to have
access to the mail account.

IV. PROOF OF CONCEPT
-------------------------
As only requirement, the attacker needs a real Gmail account, but
that's not a real limitation as service is for free.

After being authenticated, the attacker access to the option "Accounts
and import". From this tab access to "Add POP3 mail account". To add a
new account the attacker news to fill:
-User name: will be the victim email address, including "@gmail.com" 
(e.g. victim@gmail.com). 
 -Password: will be the password related to the previously informed user.
 -POP3 server and port: could be simply "pop.gmail.com" and the 995 port.

When asking for the new email account to be added some different
scenarios can happen:
 1. The application returns the message "The server has denied the
POP3 access to this username and password". This possibility happens
when the username do not exists or the password is incorrect.

 2. The application returns the message "Now you can recover the
messages of this account". This other possibility happens when the
authentication has succeeded. So, the attacker informed correctly the
password to this user.

 3. The application returns the message "You have reached the maximum
number of accounts allowed". This situation appears after adding more
than 5 email accounts or after doing 100 requests (successfully or
not) for adding a new account. Is important to notice that, after the
100 attempts, the user must wait for 2 hours.

 Using this, an attacker is able to do 100 attempts of authentication
each 2 hours (so 1.200 attempts each day).

 Is very important to retain that those requests do not require any
kind of catpcha and can be done automatically knowing only the key
parameters of the request:

  -ik: alphanumeric id associated to the user and transmitted through
   GET request.
  -GMAIL_AT: is an alphanumeric value associated to the user and
   transmitted in the cookie. It is only known after authentication
   and starts with characters "xn3j3".
  -GX: alphanumeric value associated to the user and transmitted in
   the cookie. It is only known after authentication.
  -ui: numeric value. Can be fixed to value "2" (default value) and is
   transmitted via GET.
  -view: string value. Can be fixed to string "ma" (default value) and
   is transmitted via GET.
  -map: numeric value. Can be fixed to value "2" (default value) and
   is transmitted via POST.
  -ma_email: email address of the account to be added. Would match to
   the victim email address and is transmitted via POST.
  -mapc: boolean value. Can be fixed to value "true" (default value)
   and is transmitted via POST.
  -mapp: numeric value. Can be fixed to value "1" (default value) and
   is transmitted via POST.
  -mabb: this parameter can be nul (default value) and is transmitted
   via POST.
  -at: is the alphanumeric value associated to the user that must
   match with be value of the variable GMAIL_AT previously explained.
   This value is transmitted via POST.
  -ma_user: email address of the account from which the new email
   address wanted be added. Is the attacker email address and is
   transmitted via POST.
  -ma_pwd: password to be used for the victim account. Is transmitted
   via POST.
  -ma_host: IP address of the POP3 server. Can be fixed to value
   "pop.gmail.com" and is transmitted via POST.
  -ma_host_sel: IP address of the POP3 server. Can be fixed to value
   "pop.gmail.com" and is transmitted via POST.
  -ma_port: is the value of the port of the POP3 server. Can be fixed
   to value "995" (defalt value) and is transmitted via POST.
  -ma_ssl: can be fixed to string "on" (default value) and is
   transmitted via POST.
  -ma_lbl: is the name of the label that will be used for labelling
   incoming emails. Can be fixed to the victim email address (default
   value) and is transmitted via POST.

Summarizing, the POST request for the authentication attack would be
like this:

POST http://mail.google.com/mail/?ui=2&ik=&view=ma HTTP/1.1 
Cookie: GX=;  GMAIL_AT=
map=2&ma_email=&mapc=true&mapp=1&mabb=&at=&ma_user=&ma_pwd=&ma_host=pop.gmail.com&ma_host_sel=pop.gmail.com&ma_port=995&ma_ssl=on&ma_lbl=

To bypass the limitation of 1.200 requests per day it is only
necessary to have different Gmail accounts. Each new account means 100
new possible requests. If the attacker wants to do a request each
second, means 7.200 attempts each two hours, the only need is to have
72 accounts. This would mean 86.400 request/day. More requests only
need more accounts.

As the Gmail account creation is a manual process as it needs to pass
the captcha. Another limitation is that Google only permits the
creation of 10 new accounts creation per day from the same IP address,
but using proxies or Tor network would bypass this limitation. Anyway,
although the creation of N accounts, those could be used anytime for
password cracking accounts.

V. BUSINESS IMPACT
-------------------------
Capability of unlimited password cracking Gmail user accounts.
Selective DoS on users of the Gmail service (changing user password).

VI. SYSTEMS AFFECTED
-------------------------
Gmail service.

VII. SOLUTION
-------------------------
Implement better and homogeneous anti password cracking controls.
No solution addopted by vendor.
So, use strong passwords.

VIII. REFERENCES
-------------------------
http://mail.google.com 
http://www.isecauditors.com 

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
July  07, 2009: Initial release.
July  13, 2009: Minor revision.
July  17, 2009: Last update.

XI. DISCLOSURE TIMELINE
-------------------------
July  05, 2009: Discovered by Internet Security Auditors.
July  13, 2009: Gmail security team contacted.
July  15, 2009: Request for confirmation of reception and analysis.
July  17, 2009: Answer from Google telling 100 attemp control limit is
                enough robust, although the advisory poc shows how to
                evade this weak security control.
                Publication of the advisory in the lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.