Document Title: =============== Kaspersky PM - Software Filter Vulnerability References (Source): ==================== Release Date: ============= 2012-07-12 Vulnerability Laboratory ID (VL-ID): ==================================== 612 Common Vulnerability Scoring System: ==================================== 3 Product & Service Introduction: =============================== Kaspersky Password Manager is an indispensable tool for the active Internet user. It fully automates the process of entering passwords and other data into websites and saves the user going to the trouble of creating and remembering multiple passwords. When you use Kaspersky Password Manager to log in, you can rest assured that your data is safe. The software creates exceptionally strong passwords and prevents your login information from being stolen. All confidential data is encrypted and kept in a dedicated database on your computer. Kaspersky Password Manager makes your web experience safer, quicker and more convenient. (Copy of the Vendor Homepage: ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a software filter & validation vulnerability in Kasperskys Password Manager v5.0.0.164. Vulnerability Disclosure Timeline: ================================== 2012-07-12: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Kaspersky Labs Product: Kaspersky Password Manager & older versions Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A software filter & validation vulnerability is detected in Kasperskys Password Manager v5.0.0.164 Software. The bug allows an attacker (local) to implement/inject malicious script code when processing to export a manipulated Kaspersky Password Manager database. The vulnerability is located in the validation of the html/xml export function/module & the bound vulnerable name, domain, url, comment (listing) parameters. URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser. Exploitation of the vulnerabilitiy requires a manipulated url with malicious script code, a logging server with chmod 777, a listing file (random) & a kaspersky PM v5.0.0.164 user. The bug will be injected on the remote way (Autofill Engine), affects the local validation (html/xml) on exports and change the technic back when remote transfering the password lists. The injection of the malicious url/domain context can be done via automatic imports/plugins (KPM AutoFill Engine v5.0.0.164) as victim or manually (reproduce) by including. Successful exploitation of the vulnerability lead to stable (persistent) context manipulation, persistent phishing, execution of malware or stealing plain password lists. Medium user inter action is required to exploit the vulnerability. Normally Kaspersky Password Manager exports the html & xml backup with a secure clean template like ... Name des Benutzerkontos: test1 Link: test4 Benutzername:
Kennwort: test2
test3 Kommentartest5 The local attacker manipulate the database with malicious strings (script code) in the category item profile name input fields. Kaspersky password manager generates the clean html or xml template but after the persistent script code inject in the database profile name items, the persistent code is getting execute direct out the clean exported xml or html template file. Name des Benutzerkontos: ``>