Lucene search
Karim Rahal [[email protected] / [email protected]] - @KarimMTV [http://www.vulnerability-lab.com/show.php?user=Karim%20Rahal]VULNERABLE:1634HistoryMay 24, 2016 - 12:00 a.m.
AVAST (Business) #17 - Persistent Web Vulnerability
2016-05-2400:00:00
Karim Rahal [[email protected] / [email protected]] - @KarimMTV [http://www.vulnerability-lab.com/show.php?user=Karim%20Rahal]
www.vulnerability-lab.com
26
Document Title:
===============
AVAST (Business) #17 - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1634
Release Date:
=============
2016-05-24
Vulnerability Laboratory ID (VL-ID):
====================================
1634
Common Vulnerability Scoring System:
====================================
3.7
Product & Service Introduction:
===============================
Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST Software s.r.o., a Czech private limited company.
Avast was founded in 1988, and is headquartered in Prague, Czech Republic. It produces antivirus and security programs for personal and commercial use. In January
2015, Avast had 21.4% of the worldwide security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According
to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software products have a user interface available
in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic. Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered an application-side input validation web vulnerability in the official Avast Business and Shop online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-10-29: Researcher Notification & Coordination (Karim Rahal)
2015-10-30: Vendor Notification (AVAST Security Team - Bug Bounty Program)
2015-11-09: Vendor Response/Feedback (AVAST Security Team - Bug Bounty Program)
2016-02-26: Vendor Fix/Patch (AVAST Developer Team)
2016-05-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
AVAST!
Product: Business - Online Service (Web-Application) 2015 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Technical Details & Description:
================================
Stored XSS is an attack where an Attacker is able to add a script(payload) into a page that is stored(persisted) inside the page on a specific
website area, like the Edit billing Information Process Failed Link from the email. The XSS is done because the website doesn`t filter the cancel
button parameter `x-url-back` that says what the href=`` has to be inside the cancel button in the page. This XSS leads to the attacker being able
to add a script(payload) into the credit card editting page and the process delayed page inside the billing editing process, which can lead the attacker
to insert malicious code and execute it inside a victim`s account and this could lead to a succesful full account takeover through stored(persisted) XSS.
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attacker with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce vulnerability ...
1. Go to: https://business.avast.com/#settings/profile/billing
2. Click The Option to put your billing information
3. It will redirect you to a URL to fill your billing information
4. look at the URL and edit "x-url-back=" with a XSS Payload - example: javascript:alert("XSS by Karim")
5. Then Reload the URL with the "x-url-back=" edited
6. Fill All The Information and With a generated Credit card information
7. Then Click Confirm And Save
8. It will Redirect you to a page saying processing Information and Then After 3 seconds it will redirect you to a page saying Process Delayed
9. and if you look at the Process Delayed page, and you click cancel... it will run your Stored XSS Payload!
10. also later on you will get an email saying that the process failed and they will give you a URL inside the email giving you the option to edit your billing information
11. and when you go to that URL to edit your billing information (Like this One: https://shop.avast.com/1254/cp/81861004-vdC8wg2zGkDUJnA4fScs?) and you click cancel, it will run your XSS payload!
--- HTTP Logs #1 (For Process Delayed Page) ---
https://shop.avast.com/1254/?scope=confirmation&transaction=q5ga98d7ZI&id=k6QP3FpHuN
GET /1254/?scope=confirmation&transaction=q5ga98d7ZI&id=k6QP3FpHuN HTTP/1.1
Host: shop.avast.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: s_cc=true; s_fid=07E2138ED54D62BA-179800C7C6263F48; osc_omcid=undefined; s_nr2=1445968055006-New; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; osc_ot=wd%3E%3Eun%3Eun; x-otid=wd%3E%3Eun%3Eun; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2B17DA4A05313D1F-6000010F20004890[CE]; _ga=GA1.2.2040103575.1445966997; locale2=en-ww; IDT2=IDTN-191379-j3PF6dUFwi6NiT6IZsxPtbUWSJC9fQbW3GY35444; BC-SID=86d4ab1f-e271-4bdd-8878-c4dd34542e90; BC-localIdSession="IDTN-191379-j3PF6dUFwi6NiT6IZsxPtbUWSJC9fQbW3GY35444:1"; __zlcmid=XPf3hmfhxBooFi; cbsession2=pan6MgzwGHGIAUz; cbsession1=k6QP3FpHuN=t9VCQYpLF3uRz7R; __utma=1.2040103575.1445966997.1445967215.1445967215.1; __utmb=1.13.10.1445967215; __utmc=1; __utmz=1.1445967215.1.1.utmcsr=business.avast.com|utmccn=(referral)|utmcmd=referral|utmcct=/; p0=0=81863836-x9nVcuLIUJrlwPVNAOHK; _dc_gtm_UA-58120669-2=1; __utmt=1; _gat_cb=1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2015 17:47:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en
X-Robots-Tag: noindex,noarchive,nofollow
X-Frame-Options: DENY
Set-Cookie: p0=0=81863836-x9nVcuLIUJrlwPVNAOHK; domain=.shop.avast.com; expires=Fri, 27-Oct-2017 17:47:45 GMT; path=/; HttpOnly
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
p3p: policyref="/w3c/p3p.xml", CP="NON DSP COR CURi ADMa DEVa TAIa HISa OUR LEG PHY ONL PUR COM INT LOC"
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
--- HTTP Logs #2 (For Edit Billing information After Process Declined) ---
https://shop.avast.com/1254/cp/81861004-vdC8wg2zGkDUJnA4fScs?
GET /1254/cp/81861004-vdC8wg2zGkDUJnA4fScs? HTTP/1.1
Host: shop.avast.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: s_cc=true; s_fid=07E2138ED54D62BA-179800C7C6263F48; osc_omcid=undefined; s_nr2=1445968065717-New; osc_v12=Website; osc_v13=Website%20%7C%20Direct; osc_v14=Website%20%7C%20Direct%20%7C%20; osc_v15=Website%20%7C%20Direct%20%7C%20; osc_v27=Website%20%7C%20Direct; osc_v42=web; osc_ot=wd%3E%3Eun%3Eun; x-otid=wd%3E%3Eun%3Eun; s_sq=%5B%5BB%5D%5D; s_vi=[CS]v1|2B17DA4A05313D1F-6000010F20004890[CE]; _ga=GA1.2.2040103575.1445966997; locale2=en-ww; IDT2=IDTN-191379-j3PF6dUFwi6NiT6IZsxPtbUWSJC9fQbW3GY35444; BC-SID=86d4ab1f-e271-4bdd-8878-c4dd34542e90; BC-localIdSession="IDTN-191379-j3PF6dUFwi6NiT6IZsxPtbUWSJC9fQbW3GY35444:1"; __zlcmid=XPf3hmfhxBooFi; cbsession2=pan6MgzwGHGIAUz; cbsession1=k6QP3FpHuN=t9VCQYpLF3uRz7R; __utma=1.2040103575.1445966997.1445967215.1445967215.1; __utmb=1.14.10.1445967215; __utmc=1; __utmz=1.1445967215.1.1.utmcsr=business.avast.com|utmccn=(referral)|utmcmd=referral|utmcct=/; p0=0=81863836-x9nVcuLIUJrlwPVNAOHK; _dc_gtm_UA-58120669-2=1; __utmt=1; _gat_cb=1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 27 Oct 2015 17:48:55 GMT
Server: Apache
Cache-Control: private
Content-Language: en
X-Robots-Tag: noindex, nofollow, noarchive
X-Frame-Options: DENY
Set-Cookie: cbsession1=QeIqrKQ9KB=gfCRCO2Fgzoeb6l&k6QP3FpHuN=t9VCQYpLF3uRz7R; domain=.shop.avast.com; expires=Tue, 03-Nov-2015 17:48:55 GMT; path=/; HttpOnly
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
p3p: policyref="/w3c/p3p.xml", CP="NON DSP COR CURi ADMa DEVa TAIa HISa OUR LEG PHY ONL PUR COM INT LOC"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Reference(s)
https://shop.avast.com/
https://business.avast.com/
https://shop.avast.com/1254/
https://shop.avast.com/1254/cp/
https://business.avast.com/#settings/
https://business.avast.com/#settings/profile/
https://business.avast.com/#settings/profile/billing
Solution - Fix & Patch:
=======================
2016-02-26: Vendor Fix/Patch (AVAST Developer Team)
Security Risk:
==============
The security risk of the persistent web vulnerability in the avast business website is estimated as medium. (CVSS 3.7)
Credits & Authors:
==================
Karim Rahal [[email protected] / [email protected]] - @KarimMTV [http://www.vulnerability-lab.com/show.php?user=Karim%20Rahal]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
([email protected] or [email protected]) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™