Document Title: =============== Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability References (Source): ==================== http://ift.tt/1dZCVcy Video: http://ift.tt/1QkIyTD Vulnerability Magazine: http://ift.tt/1dsz1Ij Release Date: ============= 2015-06-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1323 Common Vulnerability Scoring System: ==================================== 6.1 Product & Service Introduction: =============================== Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity. Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. (Copy of the Vendor Homepage: http://ift.tt/1knQSw2 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a application-side session validation vulnerability in the official Heroku API and web-application. Vulnerability Disclosure Timeline: ================================== 2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-09-20: Vendor Notification (Heroku Security Team - Bug Bounty Program) 2015-03-11: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program) 2015-06-08: Vendor Fix/Patch Notification (Heroku Developer Team) 2015-06-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Heroku Product: Heroku Dashboard - Web Application (API) 2014 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service. The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module. The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication. The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main heroku web-service the user will be forced to login again. During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running. If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the security mechanism to add or request the database name. The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized access after a session has been expired during the usage of the heroku service. The security risk of the re-auth session bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the vulnerability requires a local low privilege heroku application user account without user interaction. Successful exploitation of the vulnerability results in the evade and bypass of the re-authentication mechanism. Proof of Concept (PoC): ======================= The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the re-auth bypass vulnerability ... 1. Register a webpage account at the official heroku website 2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired 3. When the session is expired to do not press the re-auth function button that popup stable to all service 4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization 5. Successful reproduce of the session vulnerability! Video Demonstration The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases. The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself. Exception Message: -Your session has expired --Your current session has expired or become inactive and has been terminated.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment