IDN Homograph Attack - Reborn of the Rare Case
Summary
IDN stands for Internationalized Domain Name which is a system that allows domain names to be written and displayed in different scripts and character sets. It enables the use of non-ASCII characters, such as letters with diacritical marks (é, á, č, ŭ, í, ó) in domain names. This makes it possible for users to register using the look-a-like name and navigate to websites or create an account with the existing user.
If SMTP server is vulnerable to IDN homograph attack then it will treat a and á as same characters which can lead to security risks like account take over while registration, account takeover via password reset etc.
Description
I found an IDN homograph vulnerability on a private program on one of the platform where I was digging for request headers and found X-Forwarded-Host header so I thought of giving it a try on password reset page. I went on the password reset page and entered victim’s email to reset the password and then I captured the request and added X-Forwarded-Host header in the request with the value evil.com and checked the response but it gave a 403 Forbidden error. For further analysis I entered the target domain name in the X-Forwarded-Host header and got 200 OK response, so I thought of replacing the character a of the domain name with IDN character á (for e.g. auth.target.com is now auth.tárget.com) and it worked, the password reset link was sent with the domain auth.tárget.com.
IDN Homograph Testing Scenario:
In this scenario, an attacker sends a password reset link to the victim’s inbox with the IDN domain that is controlled by an attacker. As soon as the victim clicks on the link the password reset token will be logged into attacker’s server and he/she will be able to reset the password on behalf of the victim leading to complete account takeover.
NOTE: In real world scenario, you need to buy an IDN domain for e.g. auth.tárget.com. You can replace any character with IDN character to buy IDN homographed domain.
Basic difference between Web Server and SMTP Server
Web Server
A web server is responsible for hosting and serving web pages over the internet. It handles HTTP/HTTPS requests and responses, serving web content to clients that access the website.
SMTP Server
SMTP server is responsible for sending and receiving email messages. It handles the delivery of emails between mail servers and is used by email clients (such as Outlook or Gmail) to send outgoing messages.
Anatomy of IDN Homograph Attack with SMTP Server
SMTP servers typically treats a and á as the same characters because they often rely on ASCII (American Standard Code for Information Interchange) character encoding, which does not differentiate between them. This can make SMTP servers vulnerable to IDN homograph attacks.
ASCII Character Encoding:
- SMTP servers historically used ASCII, which represents characters using a 7-bit encoding scheme.
- ASCII includes characters commonly used in the English language and lacks support for many non-English characters or diacritics, including accented (IDN) characters like á.
- Due to the limited character set in ASCII, SMTP servers traditionally handled and processed only ASCII characters.
Punycode and Internationalized Domain Names (IDNs):
- To enable the use of non-ASCII characters in domain names, the Internationalized Domain Name (IDN) system was introduced.
- IDNs use a process called Punycode encoding to represent non-ASCII characters using a combination of ASCII characters so á will be treated as U+00E1 in ASCII table which will differentiate a and á in SMTP server.
SMTP Server Vulnerability:
- SMTP servers that do not incorporate proper handling and verification mechanisms for IDN homographs can be vulnerable.
- When processing host names, the SMTP server cannot differentiate between the ASCII a and the non-ASCII á due to their visual similarity.
How I found this vulnerability ?
- I went to forgot password page of the target, entered victim’s email and clicked on send link and intercepted the request using burpsuite
2. I added the header X-Forwarded-Host: evil.com and right clicked on the request > Do intercept > Response to this request, for checking the response and got 403 Forbidden error
3. Again I went to forgot password page of the target, entered victim’s email and clicked on send link
4. Then I intercepted the request using burpsuite and added the X-Forwarded-Host: auth.target.com, right clicked on the request > Do intercept > Response to this request, for checking the response and this time it was 200 OK response
5. Again I went to forgot password page of the target, entered victim’s email and clicked on send link and intercepted the request using burpsuite
6. Then I added the X-Forwarded-Host: auth.tárget.com, right clicked on the request > Do intercept > Response to this request, for checking the response and this time it was 200 OK response
7. I checked my inbox and received the link with the IDN homographed target host (e.g. https://auth.tárget.com/forgot-password/verify/?reset-token=Zwdft567ugr)
8. I clicked the link and intercepted the request to check the host
Why this happened ?
In my opinion,
It happened because the SMTP server did not have proper handling and verification mechanisms for IDN homographs characters. When processing host name, the SMTP server was not able to differentiate between the ASCII a and the non-ASCII á due to their visual similarity which made this attack possible.
Impact
This kind of vulnerability makes it possible for an attacker to take over anyone’s account on the target website and can steal all the PII data of that user.
CVSS Calculation
Score - 5.9 Medium
Vector String - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:H
Mitigation
To mitigate the vulnerability of IDN homograph attacks, SMTP servers should implement measures to handle IDN domains properly, such as:
- Incorporating Punycode decoding to accurately interpret and process IDN email addresses.
- Enforcing strict email address validation to detect suspicious or potentially spoofed domains.
- Regularly updating server configurations and security policies to stay updated with the latest best practices for handling IDN domains
