lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201502041423.t14ENvxM001495@sf01web2.securityfocus.com>
Date: Wed, 4 Feb 2015 14:23:57 GMT
From: jerold@...d00sec.com
To: bugtraq@...urityfocus.com
Subject: Bitdefender Internet Security -

There seems to be some security issues with the way Bitdefender Internet Security 2015 software (Build 18.20.0.1429) interacts with its myBitdefender online portal.

Issues:

1) Possible partial information disclosure privacy issue of users' myBitdefender account credentials when using the SAFEGO functionality for Facebook.
2) Bruteforce of passwords for myBitdefender accounts are possible using the method below.
 
ISSUE 1

To illustrate issue 1, I have created a spare account on myBitdefender at https://my.bitdefender.com with the following credentials:

Login ID: jerold.usa@...il.com
Password: password1

Upon clicking on the SAFEGO "Reports for Facebook" link from Bitdefender's user interface under the "Tools" tab, a web URL link will be open:

https://my.bitdefender.com/en_US/my/#page=safego.facebook_index&?login=jerold.usa@gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&lang=en_us

Note the HTTP parameter passmd5 which contains the value "7c6a180b36896a0a8c02787eeafb0e4c". It is a simple trivial hashing of the plaintext password "password1" using the MD5 algorithm which "broken" in some sense. 

A malicious attacker that has gotten hold of the hash can do a simple reverse lookup using the many available MD5 hash databases online.

Imy simple test I used http://www.md5online.org/with the hash "7c6a180b36896a0a8c02787eeafb0e4c" and was given the plaintext password of value "password1".

ISSUE 2:

Another point of concern is the HTTP response that was received when the HTTP GET request with valid credentials below was sent:

GET /lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4c&type=userpass HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expire%22%3Anull%7D; _ga=GA1.3.1523623201.1421739258; _gat=1

The HTTP response was a JSON response from the server:

{
  "token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM", 
  "passmd5": "7c6a180b36896a0a8c02787eeafb0e4c", 
  "country_id": "192", 
  "login": "jerold.usa@...il.com", 
  "preferences": "{\"lang\": \"en_us\"}"
}

Notice that the passmd5 parameter is passed back in clear. Also, it is noted that even after multiple logouts, the token value returned is still the same.

Passing a HTTP GET request below with invalid credentials has the following behavior:

GET /lv2/account?login=jerold.usa%40gmail.com&passmd5=7c6a180b36896a0a8c02787eeafb0e4d&type=userpass HTTP/1.1
Host: my.bitdefender.com
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
Referer: https://my.bitdefender.com/login
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: com.bitdefender.mybd.lang=%7B%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expire%22%3Anull%7D; _gat=1; _ga=GA1.3.1523623201.1421739258; com.bitdefender.mybd=%7B%22user%22%3A%22jerold.usa@...il.com%22%2C%22token%22%3A%22Wa6QqAuiUlrKRYcvnZZIEGI00TM%22%2C%22country_id%22%3A%22192%22%2C%22lang%22%3A%7B%22name%22%3A%22en_us%22%7D%2C%22expiry%22%3A1421742342979%2C%22remember%22%3Afalse%7D

The HTTP response was a JSON response from the server:

{
  "captcha": "false", 
  "error": "wrong_login"
}

Notice that the server responded with wrong login, indicating that the login failed. There is no form of captcha that tracks the number of failed logins before locking the account for a said period of time, which is ideal for a bruteforce attack.

Bruteforce attack scenario:

1. Obtain a dictionary wordlist of md5 hashes which is easily available online. A quick Google shows that some wordlists have more than 376,484,923,572 hashes.
2. Obtain the target's email address.
3. Code a script to send the GET request as below, substituting the login and passmd5 HTTP parameters with the target's email address and hashes from the wordlist. Alternatively, BurpSuite's intruder would be perfect for this case. Load the wordlist and use sniper-mode to start the bruteforce.
4. Observe the HTTP response. if a response similar to the one below is found, the account has been compromised, allowing the attacker access to all Bitdefender online functionalities.

{
  "token": "Wa6QqAuiUlrKRYcvnZZIEGI00TM", 
  "passmd5": "7c6a180b36896a0a8c02787eeafb0e4c", 
  "country_id": "192", 
  "login": "jerold.usa@...il.com", 
  "preferences": "{\"lang\": \"en_us\"}"
}

Seeing how Bitdefender popularity has grown in recent years, I would expect a "more secure" approach to handling such data...

Regards,
Jerold

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ