Reflective XSS worth $5,000 was discovered from Avast antivirus software
This article describes the reflective XSS vulnerability (CVE-2019–18653 & CVE-2019–18654) discovered by the author from the Avast desktop antivirus software. The cause of the vulnerability is When Avast newly joins a wireless network, by reading the wireless network name (SSID), Avast's network access notification (Avast Network Notification) will bounce back to form an XSS vulnerability. The attacker can identify the wireless network name that the user is accessing. (SSID) constructs a malicious XSS Payload to form a fake web page to steal user password credential information. The vulnerability was finally classified as high-risk by Avast, and a $5000 reward was awarded. The same vulnerability also exists in the **G anti-virus software of the same series of Avast products.
1. Avast desktop antivirus software is installed in the Windows system;
2. Construct a wireless network whose SSID name is XSS Payload with no more than 32 characters. Refer to the short XSS Payload construction method given by BruteLogic and s0md3v;
3. Open the Avast antivirus software, connect to the newly constructed wireless network using XSS Payload, and wait Avast's network access notification (Avast Network Notification), it will trigger the XSS Payload in the wireless network SSID.
A few years ago, I saw that when security researcher Deral Heiland was testing some large company’s products, he constructed a wireless network with an SSID containing XSS Payload to test these malicious software connections. Whether it will trigger XSS execution during the wireless network, he eventually found that many software have such vulnerabilities. He once shared the technology "Practical Exploitation Using A Malicious Service Set Identifier (SSID)" on BLACK HAT in 2013. Based on his findings, I also constructed a wireless network with an SSID containing XSS Payload in my OS X system for some tests.
A few months later, I bought another laptop (built-in Windows), so, for convenience, I connected this newly purchased laptop to the wireless network of my OS X system with SSID containing XSS Payload , Used it to download and install some necessary application software, and finally installed Avast anti-virus software. Then one day, when I used this newly bought laptop for online training, there was a problem with the network connection. The computer automatically connected to the wireless shared network where I installed the software before, and the link https://local appeared on the desktop. A pop-up window of avast.com (such as the icon given in the vulnerability reproduction).
I was a little confused, but later I figured it out. I used to install the Avast antivirus software on the wireless network with the SSID in the OS X system containing the XSS Payload. Now, the Avast antivirus software suddenly connected to this wireless network. In addition, the built-in Avast Network Notification (Avast Network Notification) of its firewall triggered its SSID to contain XSS Payload. Because of the above pop-up window, an XSS vulnerability was formed.
According to the official introduction of Avast, Avast is a leading anti-virus manufacturer with next-generation network attack protection. It can block abnormal traffic and hacker attacks in real time, focusing on protecting user privacy and information security. Avast has advanced end-to-end protection technology. The built-in "firewall" function is a typical application, which can capture the abnormal traffic in and out of the user's system in real time. In the default configuration, when Avast is connected to a certain network, the firewall will automatically give a network access prompt (Avast Network Notification), as shown in the figure below, it will prompt the user that the current access network of Avast and the system is SSID "My Hotspot" wireless network.
After the pop-up window pops up, the user can choose the type of network currently connected to it. There are two options: "Private" and "Public", but the problem is, Avast Network Notification will not filter the SSID field of the wireless network. If an attacker constructs an SSID name that maliciously contains XSS Payload like I did, then the user will be attacked by XSS.
Attackers can use ">
Short XSS Payload
In the beginning, I successfully constructed the pop-up window, but I don’t know How to use it in depth? Later, thanks to some research by Brute Logic and S0md3v, I formed a short XSS Payload, which effectively achieved the expected effect.
The vulnerability affects the version.
After testing, under Windows 10 system, The vulnerability affects the following products:
Avast Internet Security version 19.3.2369 (build 19.3.4241.440), and Avast Free Antivirus Premiere type products
**G Internet Security version 19.3.3084 (build 19.3.4241.440) )
The attacker uses Avast’s network access notification (Avast Network Notification) pop-up window to embed malicious URL links in the wireless network SSID that is accessed. The analysis shows that the malicious URL link is forged to cause some important Login window to induce Avast users to enter relevant password credentials, so as to achieve user information theft in the background.
This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/：http://www.internetweblist.com/Web_defense/21870.html