Bitdefender Anti-Virus vulnerable to Remote Code execution in its Safepay Browser
Bitdefender is a Romanian cybersecurity and anti-virus software company. It was founded in 2001 by Florin Talpeș who is currently the CEO. Bitdefender develops and sells anti-virus software, internet security software, endpoint security software, and other cybersecurity products and services. Bitdefender has released a Windows application designed to help users secure sensitive Web-browsing sessions, especially when they shop or bank online. The application is called Safepay and a free version is available to home users.
A researcher from Palant info found a new Bitdefender remote code execution vulnerability, dubbed CVE-2020-8102 in its Safepay browser component. The researchers found a combination of seemingly small weaknesses, each of them already familiar with other antivirus products. When used together, the effect was devastating: any website could execute arbitrary code on the user’s system, with the privileges of the current user (CVE-2020-8102).
Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process. This issue affects Bitdefender Total Security 2020 versions prior to 184.108.40.206
The vulnerability was discovered in how Bitdefender protects users from invalid certificates. As a part of the solution to overall system security, Bitdefender acts as a Man-in-the-Middle (MitM) proxy to inspect secure HTTPS connections.
Most browsers, when presented with an invalid or expired SSL certificate pass the option on to the user to accept the certificate with a warning or to navigate away. Similarly, Bitdefender offers a similar browsing experience to its users and provides a customized version of such a webpage, shown below.
According to the researcher, the URL itself within the address bar of the web browser remains constant. This tricks the application into sharing security tokens between that (potentially malicious) page and any other website hosted on the same server and running within Bitdefender’s Safepay virtual browsing environment.
The URL in the browser’s address bar doesn’t change. So as far as the browser is concerned, this error page originated at the web server and there is no reason why other web pages from the same server shouldn’t be able to access it. Whatever security tokens are contained within it, websites can read them out – an issue we’ve seen in Kaspersky products before.
The researcher demonstrated this behavior via a PoC in which he had a locally running web server presenting a valid SSL certificate on the first request but switching to an invalid one right after. After the certificate was switched, an AJAX request was made to download the SSL error page. The same-origin policy in any web browser would naturally allow this request if it felt the same-origin is maintained.
This allowed loading a malicious page in the browser, switching to an invalid certificate then and using XMLHttpRequest to download the resulting error page. This being a same-origin request, the browser will not stop you. In that page you would have the code behind the ‘I understand the risks’ link
[Image source: Palant]
In order to communicate with the Bitdefender application, a website sends a request to any address. The request will then be processed by Bitdefender locally if the correct HTTP headers are set. And despite the header names looking randomized, they are actually hardcoded and never change.
The most interesting headers are BDNDSS_B67EA559F21B487F861FDA8A44F01C50 and BDNDCA_BBACF84D61A04F9AA66019A14B035478. These contain essentially the same value, an identifier of the current Bitdefender session. Would we be able to ignore errors on other websites using these? No, this doesn’t work because the correct BDNDTK_BTS86RE4PDHKKZYVUJE2UCM87SLSUGYF value is required as well. It’s an HMAC-SHA-256 signature of the page address, and the session-specific secret used to generate this signature isn’t exposed.
said the researcher
That means an attacker who can view these values, for example, should a user visit their malicious site while Bitdefender is running, now can compromise all other “isolated” banking websites running in the same Safepay browser session within Bitdefender. Even worse, an attacker’s malicious page can use these same security tokens to make an AJAX request that executes arbitrary code on the victim’s computer.
[Image Source: Palant]
The request contains the same tokens being used during a Safepay Safe Banking session and additionally includes the payload as a “data:” URI. Once processed, the payload launches a command prompt on the victim’s machine running the “whoami” command, as just one example:
[Image Source: Palant]
However, the company has released the patch for the affected users, Bitdefender has pushed an update that fixes this vulnerability in versions 220.127.116.11 and later. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here