Improper 21CN configuration can be controlled by the certificate, resulting in man-in-the-middle attacks

Improper 21CN configuration can be controlled by the certificate, resulting in man-in-the-middle attacks

Improper 21CN configuration can be attacked by man-in-the-middle. Http://www.21cn.com

Simply put, 21CN personal mailbox (http://hermes.mail.21cn.com/webmail/) allows users to register any user name mailbox, without blocking high-risk mailbox, can cause anyone to apply for DV (domain name verification) SSL certificate from CA. I did the same thing as the Finnish app for Microsoft live. fi domain name a few days ago [1].

Sensitive mailboxes include admin @, administrator @, postmaster @, hostmaster @, and webmaster @. I successfully registered [email protected].
 

Next, I also went to the Comodo application for a free 90-day SSL certificate. Use the preceding email address to successfully receive a verification email from the CA.
 

 

 

 

In this case, you only need to confirm in the email to get the formal SSL certificate. However, I have proved that the problem exists. At this step, I applied for a denial of certificate issuance.
 

 

Statement:

1. The private key has been deleted when the CSR is generated.

2. Although the order is successfully placed, Comodo does not issue any 21cn.com certificate.

3. I apply for a certificate to prove that the vulnerability exists and harms, without any malicious means.



[1] http://www.myhack58.com/Article/html/1/4/2015/60064.htm

[2] https://technet.microsoft.com/en-us/library/security/3046310.aspx

Solution:

1. Disable [email protected].

2. Check whether the remaining four mailboxes have been registered by non-administrative personnel. If yes, disable them.