Friday, November 21, 2008

Update Yahoo! Zimbra Desktop vulneraible to Man in the Middle

Once again, Yahoo! has made a slight mis-step with protecting their users' information. In my attempt to enable interoperability between pcfspam & Yahoo! Mail, I uncovered another problem with the most recent Yahoo! Zimbra Desktop. The new Zimbra Desktop (build 1344) uses the same login methodology as the web login, which is already known to be replayable. Unfortunately, unlike the web login, it doesn't notify the user in the event of an SSL certificate mismatch. This makes Yahoo! Zimbra vulnerable to a man-in-the-middle attack, exposing both usernames and passwords.

To reproduce this bug, simply download Zimbra desktop & set your host file (/etc/hosts) for login.yahoo.com to point to your local machine (127.0.0.1) by adding:

127.0.0.1 login.yahoo.com

Alternatively, you can configure bind and add the Yahoo! zone:

;
; BIND data file for the fake yahoo zone
;
$TTL 604800
yahoo.com. IN SOA localhost. root.localhost. (
;@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
yahoo.com. IN NS ns1.yahoo.yahoo.com.
login.yahoo.com. IN A 127.0.0.1
login.yahoo.yahoo.com. IN A 127.0.0.1
ns1.yahoo.yahoo.com. IN A 127.0.0.1

. Then start an SSL webserver (I used apache) on port 443 and take a look at the access log to see the request:



127.0.0.1 - - [21/Nov/2008:00:27:39 -0500] "GET /WSLogin/V1/get_auth_token?appid=0YbgbonAkY2iNypMZQOONB8mNDSJkrfBlr3wgxc-&login=albertsanchezo&passwd=kingof HTTP/1.1" 404 401 "-" "Jakarta Commons-HttpClient/3.0"


You can clearly see the variables login & passwd contain the username and password. It should be noted that no warning message was shown to user and this was done with a self-signed cert for a localhost.localdomain. A malicious attacker would have to exploit only one of the many DNS poisoning vulnerabilities and pass the authentication information through to be able to capture the usernames & passwords of a large number of Yahoo! users. While you can see that I didn't bother passing the information through, you could also get a similar effect with squid (or another proxy) and still allow authentication to complete.

The impact of this is much lower than the previous vulnerability with Yahoo! Zimbra desktop, but is still serious as it exposes usernames & passwords with only a trivial amount of effort.

At the time of the writing Yahoo! security has been notified.
p.s.
For anyone from Yahoo! reading this, I'm still waiting for the shirt I was promised from the first time I reported a vulnerability, but its all good :)

3 comments:

Anonymous said...

Looks like this is a known issue in the current beta product in plan to be fixed before GA.

http://bugzilla.zimbra.com/show_bug.cgi?id=31997

John Holder said...

Hi Holden!
This is John Holder from Zimbra. Thanks for posting on this issue. This was a known issue, and is slated to be fixed in the GA version of Zimbra Desktop.

Security is very important to us, and no one is impervious to flaws and errors. That's why we have a system set up for reporting issues. Feel free to file anything you find on bugzilla.zimbra.com.

This helps protect our users, and get a patch out quickly. Of course, you have my IM, so you can always shoot me a note letting me know.

I'll also check on that shirt for ya.

-john

Holden Karau said...

@john:
Sorry about doing it this way, I was under the impression that security@yahoo-inc.com was the alias to contact (which I did).

Thanks for checking on the shirt :)

Free Blog Counter