Monday 10 June 2013

Nokia XSS + Nokia Spoofing = Nokia Lumia

Back in February I heard Nokia were starting a new bounty program. I didn't think it would be that hard finding a few holes and getting me a shiny new Nokia Lumia. Turns out I was right :)

This post is about a rather boring XSS and some email spoofing lolz that I worked on back in February.


The XSS

The Nokia developer site contained a search feature that didn't properly encode user queries before displaying them on the results page.

Here's a screenshot of the XSS:

Inline image 1


And lack of HttpOnly meant it was trivial to steal the session data:

Inline image 1



Bounty time...right?...wrong!

So I reported the issue and waited for a response. Fair play to Nokia they fixed the XSS pretty quickly. However when inquiring about a bounty I received the following response:


Oh great, so no bounty for XSS. Taking a closer look at the Nokia vulnerability disclosure policy:

Reward & Recognition
Nokia will recognize and reward researchers based on the vulnerability criticality and vulnerable service priority. A Nokia internal committee will review and determine what type of recognition is given to the researcher when applicable. Our most common recognition is our Hall of Fame.

Hmmm ok, but the Nokia engineer did mention a bounty was possible if I could find something more interesting...


Any ideas? Oh yeah that blog post I wrote...

I'd recently been looking at the dangers of email spoofing (see post here: http://pwndizzle.blogspot.com/2013/03/targeted-email-spoofing-and-alexa100.html) and seen how many companies weren't aware of the risks. If Nokia were vulnerable this would make a great POC and hopefully get me my Nokia Lumia!

In a nutshell, many SMTP servers on the internet today don't enforce spoofing mitigations. Reverse-DNS checks, SPF, DKIM and filtering of external emails using your company address, can all help mitigate spoofing but in a lot of companies they just aren't strictly enforced. Lucky for me, Nokia was one of those companies :)


Lets Get Spoofing!

Spoofing is trivial to perform. Simply connect to the companies SMTP server, send your "mail from", "rcpt to", your message data (with headers) and you're done. A little something like this:


As can be seen above, to demonstrate the impact I sent a message from the Nokia president Stephen Elop to the Nokia engineer. So from a few simple SMTP commands we get a spoofed email that says:


The security engineer at Nokia was rather surprised to see a message from the president and after discussing the attack/mitigations I finally got my reward, a new Nokia Lumia, wahey! :)

For more details on how to spoof your favourite CEO or how to protect your own CEO, check out my previous blog post here:
http://pwndizzle.blogspot.com/2013/03/targeted-email-spoofing-and-alexa100.html


Final Thoughts

Bug bounties come in all different shapes and sizes. Nokia might pay a little less than the average Google/Facebook/Paypal bounty but then again Nokia aren't doing all that well financially nor are they as such a juicy target as Google/Facebook/Paypal. So to offer a bug bounty at all is impressive enough!

Thanks to Nokia for their swift responses/fixes and for the new phone :)

Pwndizzle out.