Full Disclosure: Sony Playstation Network Account Service System - Password Reset (Session) Vulnerability

[Vulnerability Lab <research () vulnerability-lab com>]

Title:
======
Sony Playstation Network Account Service System - Password Reset (Session) Vulnerability


Date:
=====
2013-05-12


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=740


VL-ID:
=====
740


Common Vulnerability Scoring System:
====================================
9.3


Introduction:
=============
PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming and digital media delivery service 
provided/run 
by Sony Computer Entertainment for use with the PlayStation 3, PlayStation Portable, and PlayStation Vita video game 
consoles. 
The PlayStation Network is the video game portion of the Sony Entertainment Network.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a critical remote web vulnerability in the official PSN Network 
Accounting Service (PS).


Report-Timeline:
================
2012-11-04:     Researcher Notification & Coordination
2012-11-06:     Vendor Notification 1
2012-12-03:     Vendor Notification 2
2013-01-15:     Vendor Notification 3
2012-05-01:     Vendor Fix/Patch by Check
2012-05-12:     Public Disclosure (full 2013-06-28)


Status:
========
Published


Affected Products:
==================
Sony
Product: Playstation Network - Account Service 2012 Q3


Exploitation-Technique:
=======================
Remote


Severity:
=========
Critical


Details:
========
A critical Password Reset (Session) vulnerability is detected in the Sony PSN Network Web Server Auth System Account 
Application.
The vulnerability allows remote attackers without privileged application account to exchange session values and reset 
any psn user accounts.

The critical application vulnerability is located in the recovery (forgot password) account function of the psn account 
service application. 
In the recovery function is an auth request bound to the account session using the allowed password forgot (method 3) 
form via JSon & jquery
with the value of the intercape. The request itself is not sanitized when reseting via medthod 3 only 1 value (Forgot 
Your Password) 
by processing to load it two times (https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action) and 
live changing the manipulated 
request at the end when process to hold the request. The value only checks if exist and if empty but not validate the 
context again (2nd time). 
The attacker can bypass the token protection via live session tamper to reset any psn account by exchanging the values 
local to his own. 
Exploitation requires `processing to request` via for example the JSon form and jquery request. It is also required to 
know the birthdate of the 
account because of the protection mechanism at the end. 

Since yet it is only manually possible to exploit the remote vulnerability by using a session tamper tools (remote) 
like tamper data. A remote 
attacker can, for example bypass the token protection with values like “*/+[New Account Details] or [New Account 
Details]+/*“ to reset random 
psn application accounts or infiltrate specific choosen accounts by changing the password with own email of another 
user. The problem is the 
not specified recheck of the `Forgot Your Password` request values.

Exploitation of the vulnerability requires no application user account and also no user interaction. Successful 
exploitation of the critical remote 
vulnerability result in psn account compromise, psn account infiltration, account information disclosure or lead to psn 
user account manipulation.


Vulnerable Service(s):
                                [+] PSN Network - Auth Service - http://de.playstation.com/sign-in/

Vulnerable Section(s):
                                [+] Account Application Service - https://secure.eu.playstation.com/sign-in/

Vulnerable Module(s):
                                [+] Recovery Function - 
https://store.playstation.com/accounts/manage/beginPasswordResetFlow.action

Affected Module(s):
                                [+] JSon, JQuery & Session


Proof of Concept:
=================
The vulnerability can be exploited by remote attackers without application user account and without required user 
interaction. 
For demonstration or reproduce ...


Required for Exploitation:
                                [+] Tamper Data or other live tamper software
                                [+] Web Browser like mozilla firefox, opera and co.
                                [+] A random pession website application session which is not expired in any way

Exploitation Techique(s):
                                [+] Bypass the PSN Recovery Page (request tamper) to new Pass (use both forgotten) to 
Reset
                                [+] Bypass token protection via not empty value(s) with positiv value(s) + \ to match 
when processing to request via json
                                [+] Hold the request via tamper include own values to setup the new password in the 
form of the forgotten password post inputs
                                [+] Check the postbox of the secound ending reset to get the link and include the 
birthdate of the first account
                                [+] Reset the password to your own new values

Next Step(s):
                                [+] Decode captcha & send automatique value(s) -> Account Service (Remote Exploit)

Reference(s):
                                [+] Playstation.com/accounts/manage/beginPasswordResetFlow.action

Note:
The first request need to be stoped and tampered when processing to send the bound recovery post request.
In the secound step the stoped request with the same values needs to be send together to reset the other accounts first 
valid request.


URL(s):
https://account.sonyentertainmentnetwork.com/pc/reg/account/forgot-password!input.action?service-entity=psn
https://cdn-a.sonyentertainmentnetwork.com/grc/js/jquery.preload-1.0.8-min.js
https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/footerJSONHTML.min.js
https://cdn-a.sonyentertainmentnetwork.com/grc/unifiedFooter/DE/de/JSONUnifiedFooter.js



Session:         Live 2012-11-01 (DE)- (19:22 - 20:10)


Solution:
=========
2012-05-01:     Vendor Fix/Patch by Check


Risk:
=====
The security risk of the password reset web session vulnerability is estimated as critical.


Credits:
========
Vulnerability Laboratory [Research Team]  - Benjamin Kunz Mejri (bkm () vulnerability-lab com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all 
warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. 
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss 
of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such 
damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack 
into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - 
www.vulnerability-lab.com/register
Contact:    admin () vulnerability-lab com      - support () vulnerability-lab com             - research () 
vulnerability-lab com
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com                  - 
news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the 
use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, 
videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, 
list (feed), 
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a 
permission.

                                        Copyright © 2013 | Vulnerability Laboratory



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/