Document Title: =============== Trend Micro (SSO) - (Backend) SSO Redirect & Session Vulnerability References (Source): ==================== http://ift.tt/1SoRZwJ Trand Micro ID: 1-1-1035080936 Release Date: ============= 2016-03-31 Vulnerability Laboratory ID (VL-ID): ==================================== 1694 Common Vulnerability Scoring System: ==================================== 6.5 Product & Service Introduction: =============================== Trend Micro Inc. is a global security software company founded in Los Angeles, California with global headquarters in Tokyo, Japan, and regional headquarters in Asia, Europe and the Americas. The company develops security software for servers, cloud computing environments, and small business. Its cloud and virtualization security products provide cloud security for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva Chen serves as Trend Micro’s chief executive officer, a position she has held since 2005 when she succeeded founding CEO Steve Chang. Chang serves as chairman of Trend Micro. (Copy of the Homepage: http://ift.tt/1RrWcmK ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a redirect and session web vulnerability in the official trend micro sso online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-01-28: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-01-29: Vendor Notification (Trend Micro Security Team) 2016-02-02: Vendor Response/Feedback (Trend Micro Security Team) 2016-03-16: Vendor Fix/Patch (Trend Micro Developer Team) 2016-03-20: Security Bulletin (Trend Micro Security Team) [Acknowledgements] 2016-03-31: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Trend Micro Product: Account System - (Web-Application) 2016 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A redirect issue with information leaking has been discovered in the official Trendmirco online-service web-application. The vulnerability allows an attacker to send a crafted link to the victim. The execution (which requires a login) will disclose leaking information to the attackers webserver. In this case the AuthState value is beeing leaked. The vulnerability is located in the SSOService.php. A remote attacker is able to craft a link by modifing the RelayState parameter to his webserver. After the link is clicked by the victim the website requests him to login. After the login the victim is beeing quitly redirected to the webserver. The previous requests includes the new AuthState in the GET request which includes the users session. The AuthState is beeing exposed in the Referer afterwards. The attacker can use the AuthState value to overtake the account session. The vulnerability is located in the SSOService.php. A remote attacker is able to craft a link by modifing the RelayState parameter to his webserver. After the link is clicked by the victim the website requests him to login. After the login the victim is beeing quitly redirected to the webserver. The previous requests includes the new AuthState in the GET request which includes the users session. The AuthState is beeing exposed in the Referer afterwards. The attacker can use the AuthState value to overtake the account session. Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Send the victim the link http://ift.tt/1RMhzxZ 2. The victim will redirect to yahoo 3. The AuthState code will cached on the referer of the attackers website ... like on yahoo 4. Successful reproduce of the vulnerability!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment