Title: ====== Sony Playstation Network Account Service System - Password Reset (Session) Vulnerability
Date: ===== 2013-05-12 References: =========== http://www.vulnerability-lab.com/get_content.php?id=740 VL-ID: ===== 740 Common Vulnerability Scoring System: ==================================== 9.3 Introduction: ============= PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles. The PlayStation Network is the video game portion of the Sony Entertainment Network. (Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network) Abstract: ========= The Vulnerability Laboratory Research Team discovered a critical remote web vulnerability in the official PSN Network Accounting Service (PS). Report-Timeline: ================ 2012-11-04: Researcher Notification & Coordination 2012-11-06: Vendor Notification 1 2012-12-03: Vendor Notification 2 2013-01-15: Vendor Notification 3 2012-05-01: Vendor Fix/Patch by Check 2012-05-12: Public Disclosure (full 2013-06-28) Status: ======== Published Affected Products: ================== Sony Product: Playstation Network - Account Service 2012 Q3 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== A critical Password Reset (Session) vulnerability is detected in the Sony PSN Network Web Server Auth System Account Application. The vulnerability allows remote attackers without privileged application account to exchange session values and reset any psn user accounts. The critical application vulnerability is located in the recovery (forgot password) account function of the psn account service application. In the recovery function is an auth request bound to the account session using the allowed password forgot (method 3) form via JSon & jquery with the value of the intercape. The request itself is not sanitized when reseting via medthod 3 only 1 value (Forgot Your Password) by processing to load it two times (https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action) and live changing the manipulated request at the end when process to hold the request. The value only checks if exist and if empty but not validate the context again (2nd time). The attacker can bypass the token protection via live session tamper to reset any psn account by exchanging the values local to his own. Exploitation requires `processing to request` via for example the JSon form and jquery request. It is also required to know the birthdate of the account because of the protection mechanism at the end. Since yet it is only manually possible to exploit the remote vulnerability by using a session tamper tools (remote) like tamper data. A remote attacker can, for example bypass the token protection with values like “*/+[New Account Details] or [New Account Details]+/*“ to reset random psn application accounts or infiltrate specific choosen accounts by changing the password with own email of another user. The problem is the not specified recheck of the `Forgot Your Password` request values. Exploitation of the vulnerability requires no application user account and also no user interaction. Successful exploitation of the critical remote vulnerability result in psn account compromise, psn account infiltration, account information disclosure or lead to psn user account manipulation. Vulnerable Service(s): [+] PSN Network - Auth Service - http://de.playstation.com/sign-in/ Vulnerable Section(s): [+] Account Application Service - https://secure.eu.playstation.com/sign-in/ Vulnerable Module(s): [+] Recovery Function - https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action Affected Module(s): [+] JSon, JQuery & Session Proof of Concept: ================= The vulnerability can be exploited by remote attackers without application user account and without required user interaction. For demonstration or reproduce ... Required for Exploitation: [+] Tamper Data or other live tamper software [+] Web Browser like mozilla firefox, opera and co. [+] A random pession website application session which is not expired in any way Exploitation Techique(s): [+] Bypass the PSN Recovery Page (request tamper) to new Pass (use both forgotten) to Reset [+] Bypass token protection via not empty value(s) with positiv value(s) + \ to match when processing to request via json [+] Hold the request via tamper include own values to setup the new password in the form of the forgotten password post inputs [+] Check the postbox of the secound ending reset to get the link and include the birthdate of the first account [+] Reset the password to your own new values Next Step(s): [+] Decode captcha & send automatique value(s) -> Account Service (Remote Exploit) Reference(s): [+] Playstation.com/accounts/manage/beginPasswordResetFlow.action Note: The first request need to be stoped and tampered when processing to send the bound recovery post request. In the secound step the stoped request with the same values needs to be send together to reset the other accounts first valid request. URL(s): https://account.sonyentertainmentnetwork.com/pc/reg/account/forgot-password!input.action?service-entity=psn https://cdn-a.sonyentertainmentnetwork.com/grc/js/jquery.preload-1.0.8-min.js https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/footerJSONHTML.min.js https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/DE/de/JSONUnifiedFooter.js Session: Live 2012-11-01 (DE)- (19:22 - 20:10) Solution: ========= 2012-05-01: Vendor Fix/Patch by Check Risk: ===== The security risk of the password reset web session vulnerability is estimated as critical. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: resea...@vulnerability-lab.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
