卡巴斯基密码管理器中发现的过滤绕过漏洞

淡淡体味

卡巴斯基密码管理器中发现的过滤绕过漏洞

来自：MACD论坛(bbs.macd.cn) 作者：淡淡体味 浏览：3535 回复：0

安全漏洞实验室的研究人员已经确定了中等严重程度的软件过滤和验证漏洞影响卡巴斯基的密码管理器5.0.0.164和旧变种。

据有关专家介绍，该漏洞允许本地攻击者在出口过程中的恶意代码注入数据库。“该漏洞位于HTML / XML导出功能/模块及绑定脆弱名称，域名，网址，注释（上市）参数验证，”读取漏洞实验室公布的咨询。 “条目的URL嵌入在出口没有XML特殊字符进行编码时，一个条目的网址（域名）字段包含一个恶意脚本代码的HTML文件，这将在浏览器中打开导出的HTML文件时执行。“ 如果成功利用该漏洞可以杠杆坚持操作的应用程序，网络钓鱼，恶意软件的执行，甚至窃取受害人的密码明文。所有这些操作都需要只有在用户的身边介质的相互作用。 研究人员还提供1剥削的情况中，攻击者发送受害人1 1 URL的参数，具体代码巧妙地制作登录页面的一个例子。 此代码调用1的HTML或1 JavaScript的响应与URL CHMOD 777命令处理本地请求时，交换文件。 不知情的卡巴斯基密码管理顾客节省了通过应用自动填充插件的恶意登录页面。 后来，当受害者试图导出文件HTML格式，使用标准模板，执行恶意脚本文件的内容发送回攻击者所拥有的服务器 时，这个问题仍然没有得到解决。作为一个由供应商应实施的解决方案，研究人员建议在项目名称中的内容输出为HTML文件的XML特殊字符的使用。 下面是专家，以展示他们的研究结果发表的概念证明型视频。

Security researchers part of the Vulnerability Lab have identified a medium severity software filter and validation vulnerability that affects Kaspersky’s Password Manager 5.0.0.164 and older variants.

According to the experts, the flaw allows a local attacker to inject malicious code during the exportation process of a database.

“The vulnerability is located in the validation of the html/xml export function/module & the bound vulnerable name, domain, url, comment (listing) parameters,” reads the advisory published by Vulnerability Lab.

“URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser.”

If exploited successfully, the vulnerability can be leveraged to persistently manipulate the application, phishing, the execution of malware, and even for stealing the victim’s passwords in clear text. All these operations require only medium interaction on the user’s side.

The researchers also provide an example of an exploitation scenario in which the attacker sends the victim a cleverly crafted login page with a specific code in the URL’s parameters.

This code calls an HTML or a JavaScript which responds to an URL with a chmod 777 command to exchange the file when processing local requests.

The unsuspecting Kaspersky Password Manager customer saves the malicious login page to the application via the AutoFill plugin.

Later, when the victim attempts to export the file in HTML format using the standard template, the malicious script is executed and the content of the file is sent back to the server owned by the attacker.

For the time being, the issue remains unaddressed. As a solution that should be implemented by the vendor, the researchers recommend the use of XML special characters in item names in the exportation of content as an HTML file.

Here is the proof-of-concept video published by the experts to demonstrate their findings.