Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sony PSN Account Service - Password Reset Vulnerability

🗓️ 11 May 2013 00:00:00Reported by Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected])Type 
vulnerlab
 vulnerlab🔗 www.vulnerability-lab.com👁 31 Views

Sony PSN Account Service - Critical Remote Password Reset Vulnerabilit

Code
Document Title:
===============
Sony PSN Account Service - Password Reset Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=740


Release Date:
=============
2013-05-11


Vulnerability Laboratory ID (VL-ID):
====================================
740


Common Vulnerability Scoring System:
====================================
9.3


Product & Service Introduction:
===============================
PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service provided/run 
by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game consoles. 
The PlayStation Network is the video game portion of the Sony Entertainment Network.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a critical remote web vulnerability in the official PSN Network Accounting Service (PS).


Vulnerability Disclosure Timeline:
==================================
2012-11-04:	Researcher Notification & Coordination
2012-11-06:	Vendor Notification 1
2012-12-03:	Vendor Notification 2
2013-01-15:	Vendor Notification 3
2012-05-01:	Vendor Fix/Patch by Check
2012-05-12:	Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================
Sony
Product: Playstation Network - Account Service 2012 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
A critical Password Reset (Session) vulnerability is detected in the Sony PSN Network Web Server Auth System Account Application.
The vulnerability allows remote attackers without privileged application account to exchange session values and reset any psn user accounts.

The critical application vulnerability is located in the recovery (forgot password) account function of the psn account service application. 
In the recovery function is an auth request bound to the account session using the allowed password forgot (method 3) form via JSon & jquery
with the value of the intercape. The request itself is not sanitized when reseting via medthod 3 only 1 value (Forgot Your Password) 
by processing to load it two times (https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action) and live changing the manipulated 
request at the end when process to hold the request. The value only checks if exist and if empty but not validate the context again (2nd time). 
The attacker can bypass the token protection via live session tamper to reset any psn account by exchanging the values local to his own. 
Exploitation requires `processing to request` via for example the JSon form and jquery request. It is also required to know the birthdate of the 
account because of the protection mechanism at the end. 

Since yet it is only manually possible to exploit the remote vulnerability by using a session tamper tools (remote) like tamper data. A remote 
attacker can, for example bypass the token protection with values like “*/+[New Account Details] or [New Account Details]+/*“ to reset random 
psn application accounts or infiltrate specific choosen accounts by changing the password with own email of another user. The problem is the 
not specified recheck of the `Forgot Your Password` request values.

Exploitation of the vulnerability requires no application user account and also no user interaction. Successful exploitation of the critical remote 
vulnerability result in psn account compromise, psn account infiltration, account information disclosure or lead to psn user account manipulation.


Vulnerable Service(s):
				[+] PSN Network - Auth Service - http://de.playstation.com/sign-in/

Vulnerable Section(s):
				[+] Account Application Service - https://secure.eu.playstation.com/sign-in/

Vulnerable Module(s):
				[+] Recovery Function - https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action

Affected Module(s):
				[+] JSon, JQuery & Session


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without application user account and without required user interaction. 
For demonstration or reproduce ...


Required for Exploitation:
				[+] Tamper Data or other live tamper software
				[+] Web Browser like mozilla firefox, opera and co.
				[+] A random pession website application session which is not expired in any way

Exploitation Techique(s):
				[+] Bypass the PSN Recovery Page (request tamper) to new Pass (use both forgotten) to Reset
				[+] Bypass token protection via not empty value(s) with positiv value(s) + \ to match when processing to request via json
				[+] Hold the request via tamper include own values to setup the new password in the form of the forgotten password post inputs
				[+] Check the postbox of the second ending reset to get the link and include the birthdate of the first account
				[+] Reset the password to your own new values

Next Step(s):
				[+] Decode captcha & send automatique value(s) -> Account Service (Remote Exploit)

Reference(s):
				[+] Playstation.com/accounts/manage/beginPasswordResetFlow.action

Note:
The first request need to be stoped and tampered when processing to send the bound recovery post request.
In the second step the stoped request with the same values needs to be send together to reset the other accounts first valid request.


URL(s):
https://account.sonyentertainmentnetwork.com/pc/reg/account/forgot-password!input.action?service-entity=psn
https://cdn-a.sonyentertainmentnetwork.com/grc/js/jquery.preload-1.0.8-min.js
https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/footerJSONHTML.min.js
https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/DE/de/JSONUnifiedFooter.js



Session:	 Live 2012-11-01 (DE)- (19:22 - 20:10)


Solution - Fix & Patch:
=======================
2012-05-01:	Vendor Fix/Patch by Check


Security Risk:
==============
The security risk of the password reset web session vulnerability is estimated as critical.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team]  - Benjamin Kunz Mejri ([email protected])


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2013 | Vulnerability Laboratory

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 May 2013 00:00Current
7.1High risk
Vulners AI Score7.1
sony psn networkremote vulnerabilitycritical .
31