Summary
When no browser extension is installed, arbitrary webpages can take control of the Kaspersky command interface and disable parts of the functionality for example.
Description
Without a browser extension (e.g. because extension installation not confirmed by user, unsupported like in MS Edge or uninstalled via https://hackerone.com/reports/470519), Kaspersky fall back to injecting its script directly into the webpage. There are provisions to prevent the webpage from discovering the address of these script, which are trivially circumvented by the webpage downloading itself. There are also provisions to inject the script before any webpage scripts can run, so that unmanipulated references to various JavaScript objects can be stored. These provisions can also be circumvented by manipulating the objects and rerunning Kaspersky’s script then. As a result, webpages can get full access to Kaspersky’s command interface which allows disabling Anti-Banner and Private Browsing functionality for example (either completely or on specific sites), adding URLs to the blocklist and much more. Worse yet: by exposing Kaspersky’s internal processing to the web, bugs in this processing code will turn into Remote Code Execution vulnerabilities allowing websites to execute code with the privileges of the SYSTEM user (I haven’t explored this possibility further).
Environment
Steps to reproduce
I tested this with Chrome 71, it should work with any other browser as well however.
server.py
and disable_features1.html
to some directory on your computer and run server.py
(Python 3 required). This is a very rudimentary HTTP server running on http://localhost:5000/, you could use some other web server as well.127.0.0.1 www.google.example.com
. Normally, you would just use a subdomain of a domain you own - the host name has to start with “www.google.” for Kaspersky’s script to be injected there.Websites gain full control of Kaspersky’s command interface and can disable or manipulate its functionality. They can also attack potential vulnerabilities of the avp.exe process running with elevated privileges.