Dnsstuff is a great service often integrated in browser, widget and extension. They offer a number of tests (DNS Report, DNS Timing, WHOIS Lookup, Abuse Lookup, Domain Info, Spam database lookup, Reverse DNS lookup, IPWHOIS Lookup, City From IP, IP Routing Lookup, DNS lookup, Traceroute, Ping, ISP cached DNS lookup) and other conversion/math tools (URL deobfuscator, Free E-mail Lookup, CIDR/Netmask, E-mail Test, CSE HTML Validator, Decimal IPs). When applicable the tool is both ipv4 and ipv6 capable.
Using the http get variable server is possible to request a WHOIS lookup on an arbitrary server, the flaw (or the feature) consists of the ability to specify an arbitrary port number, then parsing the output is possible to turn this service in a tcp portscanner (which is not the service scope, imho).
Examples
Testing port 80 (open) http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=www_ush_it:80 give:
Looking up scan at www_ush_it:80. < !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html></html>
As you can see the service give you few bytes of a response that probably is a 400, bad request.
Testing port 81 (closed) http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=www_ush_it:81:
Looking up scan at www_ush_it:81. Sorry, I could not connect to www_ush_it (10061).
An error is issued so when you don't see this in the resulting data the port is open and the script connected well.
Testing port 443 (closed) http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=www_ush_it:443:
Looking up scan at www_ush_it:443.
None returned but also no errors, so mostly the listen apache resulted binary data or nothing at all.
Same as reported by Nmap (nmap -A) only the http and https service are running on that public ip:
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 443/tcp open ssl/http Apache httpd Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.2.16 Uptime 42.767 days (since Thu Dec 1 18:09:03 2005)
A failed proxy
Ineed this service is a failed proxy, the reason is simple: following whois protocol the script send to the server a query identical to the value of the ip get variable. Here an example: http://www.dnsstuff.com/tools/whois.ch?ip=scan&server=82.54.253.196:9010
nc -l -p 9010 -vvv listening on [any] 9010 ... connect to [192.168.0.1] from test.DNSstuff.com [66.36.241.109] 59784 scan ^C
Fortunately only the first [0-9a-zA-Z.] part of the string is sent an a query like whois.ch?ip=GET%20/%20HTTP\1.1&server=82.54.253.196:9010 will produce a mere GET.
Testing XSS Vectors
People at Dnsstuff was smart enought to protect this tool away from XSS attacks with proper sanitization (referer to the php functions htmlentities and htmlspecialchars) reporting the whois response but forgot to filter the server variable from html special chars so this kind of attack is possible.
http://www.dnsstuff.com/tools/whois.ch?ip=XSS&server=%3Ca%20href=%22http://www_ush_it%22%3Eush.it%3C/a%3E
While i was testing this XSS deeper i got this error so game ended :P
DNSStuff
Sorry, you have triggered our rate limiting system. If you are reading this in a web browser, we apologize -- we want you to use the site as much as you like. What we do not like is when people use automated programs with our free service. We have the addresses uce@ftc.gov and fraud@ftc.gov here in case spammers are harvesting addresses from our site. Please go here for more details. Your IP is 82.54.253.196. Thanks!
The solution
An applicable solution would be harcoded/fixed port number thus the best way is to create a database table with well known servers to query and let the user choose the server specifying the id parameter by get or post. Regarding the XSS it could easily fixed with proper input sanitization.
Dnsstuff has long abused by automated software, judging their black list. It would be great if Dnsstuff will give a free xml api version of their services in the future.
Dnsstuff response
No full disclosure this time :) this mainly because these vulns aren't product/software/package specific. Scott Perry appreciated the notification and fixed the whole thing in about 4 hours (good timing) so the examples in this article no longer work.