Shulou(Shulou.com)06/01 Report--

BitDefender repair can cause attackers to run commands remotely, but many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

The security solution Bitdefender has a remote code execution vulnerability numbered CVE-2020-8102 in its Safepay browser component.

"there is an input validation error vulnerability in the Safepay browser component of Bitdefender Total Security 2020," Bitdefender said in a security bulletin. Remote attackers can use a specially constructed web page to run commands in the Safepay Utility process. The vulnerability affects versions prior to Bitdefender Total Security 2020 24.0.20.116. "

Wladimir Palant, a security blogger and the original developer of the AdBlock Plus extension, disclosed a security vulnerability in Bitdefender's ability to protect users from invalid certificates.

As part of the overall system security solution, BitDefender acts as a MitM agent to check secure HTTPS connections.

In general, almost all antivirus vendors use this behavior, which is often referred to as secure search, Web protection, Web access protection, and so on.

When there is an invalid or expired SSL certificate, most browsers transfer the option to the user to accept the certificate with a warning or to navigate away. Bitdefender provides a similar browsing experience for users and provides a custom web page, as shown below.

Invalid certificate warning in Bitdefender page

Source: Palant

This is usually not a problem if the user chooses to ignore the HSTS warning and proceed at his own risk.

As Palant points out, it's interesting to note that the URL itself in the address bar of a web browser remains the same. This allows the application to share security tokens between potentially malicious pages and any other Web site hosted on the same server and run in BitDefender's Safepay virtual browsing environment.

"the URL in the browser address bar will not change. As far as browsers are concerned, this error page originated from the Web server, and there is no reason to make it inaccessible to other pages from the same server. No matter what security token is contained in it, the site can read them-this is a problem we have seen in Kaspersky products before." Palant said in his report.

Palant demonstrates this behavior through a PoC where he asks a locally running Web server to have a valid SSL certificate appear on the first request, but then switch to an invalid certificate.

After switching the certificate, issue an AJAX request to download the SSL error page. The same origin policy in any Web browser will naturally allow this request if it feels that the same origin is maintained.

"this allows you to load a malicious page in the browser, then switch to an invalid certificate and use XMLHttp Request to download the resulting error page. This is a request of the same origin, and the browser will not block you. On this page, you will get the code for the" I understand these risks "link," Palant explained.

BitDefender injects headers into the bank site

Source: Palant

BitDefender, like other antivirus products, uses a set of security tokens when issuing AJAX requests during a session. However, these values are hard-coded and do not change when they should.

In addition, the Safe Search and Safe Banking functions of the component do not implement any additional protection. "it turns out that all functions use the same BDNDSS_B67EA559F21B487F861FDA8A44F01C50 and BDNDCA_ BBACF84D61A04F9AA66019A14B035478 values, but other than that, Safe Search and Safe Banking do not implement any additional protection."

In practice, this means that attackers who can view these values, for example, if a user visits their malicious site while BitDefender is running, can invade all other 'quarantined' bank websites running in the same Safepay browser session of BitDefender.

To make matters worse, an attacker's malicious page can use these same security tokens to initiate AJAX requests to execute arbitrary code on the victim's computer.

Execute script for RCE attack

Source: Palant

The request contains the same token used during the SafepaySafe Banking session, as well as the payload as a "data:" URI. Once processed, the payload starts command prompts on the victim's machine running the "whoami" command, for example:

Download and execute remote executable files

Source: Palant

Although BitDefender has released patches for affected users, vulnerabilities like this remind people that, despite the best intentions, such as providing a secure browsing environment, errors can occur.

BitDefender has released an automatic update that fixes this vulnerability in versions 24.0.20.116 and later.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.