[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Sony Playstation Network Account Service System - Password Reset (Session) Vulnera
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-06-27 23:37:01
Message-ID: 51CCCC9D.4090602 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Sony Playstation Network Account Service System - Password Reset (Session) Vulnerability
Date:
=====
2013-05-12
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=740
VL-ID:
=====
740
Common Vulnerability Scoring System:
====================================
9.3
Introduction:
=============
PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital \
media delivery service provided/run by Sony Computer Entertainment for use with the \
PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles. The PlayStation \
Network is the video game portion of the Sony Entertainment Network.
(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a critical remote web vulnerability in \
the official PSN Network Accounting Service (PS).
Report-Timeline:
================
2012-11-04: Researcher Notification & Coordination
2012-11-06: Vendor Notification 1
2012-12-03: Vendor Notification 2
2013-01-15: Vendor Notification 3
2012-05-01: Vendor Fix/Patch by Check
2012-05-12: Public Disclosure (full 2013-06-28)
Status:
========
Published
Affected Products:
==================
Sony
Product: Playstation Network - Account Service 2012 Q3
Exploitation-Technique:
=======================
Remote
Severity:
=========
Critical
Details:
========
A critical Password Reset (Session) vulnerability is detected in the Sony PSN Network Web \
Server Auth System Account Application. The vulnerability allows remote attackers without \
privileged application account to exchange session values and reset any psn user accounts.
The critical application vulnerability is located in the recovery (forgot password) account \
function of the psn account service application. In the recovery function is an auth request \
bound to the account session using the allowed password forgot (method 3) form via JSon & \
jquery with the value of the intercape. The request itself is not sanitized when reseting via \
medthod 3 only 1 value (Forgot Your Password) by processing to load it two times \
(https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action) and live changing \
the manipulated request at the end when process to hold the request. The value only checks if \
exist and if empty but not validate the context again (2nd time). The attacker can bypass the \
token protection via live session tamper to reset any psn account by exchanging the values \
local to his own. Exploitation requires `processing to request` via for example the JSon form \
and jquery request. It is also required to know the birthdate of the account because of the \
protection mechanism at the end.
Since yet it is only manually possible to exploit the remote vulnerability by using a session \
tamper tools (remote) like tamper data. A remote attacker can, for example bypass the token \
protection with values like "*/+[New Account Details] or [New Account Details]+/*" to reset \
random psn application accounts or infiltrate specific choosen accounts by changing the \
password with own email of another user. The problem is the not specified recheck of the \
`Forgot Your Password` request values.
Exploitation of the vulnerability requires no application user account and also no user \
interaction. Successful exploitation of the critical remote vulnerability result in psn \
account compromise, psn account infiltration, account information disclosure or lead to psn \
user account manipulation.
Vulnerable Service(s):
[+] PSN Network - Auth Service - http://de.playstation.com/sign-in/
Vulnerable Section(s):
[+] Account Application Service - https://secure.eu.playstation.com/sign-in/
Vulnerable Module(s):
[+] Recovery Function - \
https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action
Affected Module(s):
[+] JSon, JQuery & Session
Proof of Concept:
=================
The vulnerability can be exploited by remote attackers without application user account and \
without required user interaction. For demonstration or reproduce ...
Required for Exploitation:
[+] Tamper Data or other live tamper software
[+] Web Browser like mozilla firefox, opera and co.
[+] A random pession website application session which is not expired in any way
Exploitation Techique(s):
[+] Bypass the PSN Recovery Page (request tamper) to new Pass (use both forgotten) to Reset
[+] Bypass token protection via not empty value(s) with positiv value(s) + \ to match when \
processing to request via json [+] Hold the request via tamper include own values to setup the \
new password in the form of the forgotten password post inputs [+] Check the postbox of the \
secound ending reset to get the link and include the birthdate of the first account [+] Reset \
the password to your own new values
Next Step(s):
[+] Decode captcha & send automatique value(s) -> Account Service (Remote Exploit)
Reference(s):
[+] Playstation.com/accounts/manage/beginPasswordResetFlow.action
Note:
The first request need to be stoped and tampered when processing to send the bound recovery \
post request. In the secound step the stoped request with the same values needs to be send \
together to reset the other accounts first valid request.
URL(s):
https://account.sonyentertainmentnetwork.com/pc/reg/account/forgot-password!input.action?service-entity=psn
https://cdn-a.sonyentertainmentnetwork.com/grc/js/jquery.preload-1.0.8-min.js
https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/footerJSONHTML.min.js
https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/DE/de/JSONUnifiedFooter.js
Session: Live 2012-11-01 (DE)- (19:22 - 20:10)
Solution:
=========
2012-05-01: Vendor Fix/Patch by Check
Risk:
=====
The security risk of the password reset web session vulnerability is estimated as critical.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2013 | Vulnerability Laboratory
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic