ush.it - a beautiful place

Port scanner with dnsstuff

January 14, 2006 at 6:47 pm - Filed under aa, bb - 805 words, reading time ~2 minutes - Permalink - Comments

Dnsstuff is a great service often integrated in browser, widget and extension. They offer a number of tests (DNS Report, DNS Timing, WHOIS Lookup, Abuse Lookup, Domain Info, Spam database lookup, Reverse DNS lookup, IPWHOIS Lookup, City From IP, IP Routing Lookup, DNS lookup, Traceroute, Ping, ISP cached DNS lookup) and other conversion/math tools (URL deobfuscator, Free E-mail Lookup, CIDR/Netmask, E-mail Test, CSE HTML Validator, Decimal IPs). When applicable the tool is both ipv4 and ipv6 capable.

Using the http get variable server is possible to request a WHOIS lookup on an arbitrary server, the flaw (or the feature) consists of the ability to specify an arbitrary port number, then parsing the output is possible to turn this service in a tcp portscanner (which is not the service scope, imho).

Examples

Testing port 80 (open) http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=www_ush_it:80 give:

Looking up scan at www_ush_it:80.

< !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html></html>

As you can see the service give you few bytes of a response that probably is a 400, bad request.

Testing port 81 (closed) http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=www_ush_it:81:

Looking up scan at www_ush_it:81.

Sorry, I could not connect to www_ush_it (10061).

An error is issued so when you don't see this in the resulting data the port is open and the script connected well.

Testing port 443 (closed) http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=www_ush_it:443:

Looking up scan at www_ush_it:443.

None returned but also no errors, so mostly the listen apache resulted binary data or nothing at all.

Same as reported by Nmap (nmap -A) only the http and https service are running on that public ip:

PORT    STATE SERVICE  VERSION
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.2.16
Uptime 42.767 days (since Thu Dec  1 18:09:03 2005)

A failed proxy

Ineed this service is a failed proxy, the reason is simple: following whois protocol the script send to the server a query identical to the value of the ip get variable. Here an example: http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=82.54.253.196:9010

nc -l -p 9010 -vvv
listening on [any] 9010 ...
connect to [192.168.0.1] from test.DNSstuff.com [66.36.241.109] 59784
scan
^C

Fortunately only the first [0-9a-zA-Z.] part of the string is sent an a query like whois.ch?ip=GET%20/%20HTTP\1.1&server=82.54.253.196:9010 will produce a mere GET.

Testing XSS Vectors

People at Dnsstuff was smart enought to protect this tool away from XSS attacks with proper sanitization (referer to the php functions htmlentities and htmlspecialchars) reporting the whois response but forgot to filter the server variable from html special chars so this kind of attack is possible.

http://www.dnsstuff.com/tools/whois.ch?ip=XSS&server=%3Ca%20href=%22http://www_ush_it%22%3Eush.it%3C/a%3E

While i was testing this XSS deeper i got this error so game ended :P

DNSStuff
Sorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses uce@ftc.gov and fraud@ftc.gov here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 82.54.253.196. Thanks!

The solution

An applicable solution would be harcoded/fixed port number thus the best way is to create a database table with well known servers to query and let the user choose the server specifying the id parameter by get or post. Regarding the XSS it could easily fixed with proper input sanitization.

Dnsstuff has long abused by automated software, judging their black list. It would be great if Dnsstuff will give a free xml api version of their services in the future.

Dnsstuff response

No full disclosure this time :) this mainly because these vulns aren't product/software/package specific. Scott Perry appreciated the notification and fixed the whole thing in about 4 hours (good timing) so the examples in this article no longer work.

Reed's Alert! Got something burning? Tell USH team.
THP USH (HTTPS) Wisec DigitalBullets TheHackersPlace network