SIK-2016-013


Title:

XSS in Secure Browsing Module McAfee App

Report ID

SIK-2016-013

Summary:

The application, in particular the Secure Browsing module contains an XSS-scripting vulnerability.

Details:

The Secure Browsing feature should protect the user from malicious web sites. If the user enters such a malicious web page the browsing module tries to block the page by showing the McAfee Site advisor LIVE protection alert. This alert page contains a XSS-vulnerability which allows one to embed and execute JavaScript code.

See code example

<script type="text/javascript">
var lksu = "http://team-sik.org/";alert("XSS");var x="";
if (lksu != "") {
 document.getElementById('gobackbtn').href = lksu;
}
else {
 if (history.length <= 1) {
 divelem = document.getElementById("gobackbtn")
 if (divelem) {
 divelem.style.display = "none"
 }
}

The blocking page shows the URL of the calling site and embeds it into the blocking page. If the URL contains JavaScript it will be executed (see bold line). An attacker or malicious site can inject JavaScript to bypass the blocking page or execute other arbitrary JavaScript code. We evaluated this on the Android Application, but we assume if McAfee uses this approach also within the desktop version; then this XSS-scripting vulnerability would be also affect desktop systems.

The related code within the Android app for this vulnerability is located mostly in com.mcafee.android.siteadvisor.service.d. Method a(final String, int, final
ComponentName)
sets the last known safe URL:

[...]
if (this.h) {
 if (i.a("SiteAdvisorManager", 2)) {
 b.d("Inside onPageLoad call to set Last KnowSafeURL" + a2);
 }
 if (obj != null) {
 this.g = a2; <=== saves last known URL
 if (i.a("SiteAdvisorManager", 2)) {
 b.d("Setting Last KnowSafeURL onPageLoad : " + this.g);
 }
 }
} else if (!a.a.e) {
 this.g = a2; <=== saves last known URL
 if (i.a("SiteAdvisorManager", 2)) {
 b.d("Setting Last KnowSafeURL directly : " + this.g);
 }
} else if (!a2.equals(this.g)) {
 if (i.a("SiteAdvisorManager", 2)) {
 b.d("Calling ResolveLastKnownSafeURL to set Last KnowSafeURL" +
a2);
}
[...]

As a proof of concept code we provide a sample link from the Secure Browsing feature showing the JavaScript injection (JavaScript must be enabled in Browser).

http://www.salive.com/mprot2.html?v=1&ui=0&spid=mcafee&px=000800000000000000000000000000000000&c=0x821&url=2RYXRrK9YAOqKU0G8LVTS4HB%2BI83e7Oi&vascheme=com.wsandroid.suite&sabp=true&langcode=enUS&lksu=2RYXRrK9YAaNuGgMTPebqRFBVEM0gqIkolCJFeYHVin2OYs33qsYmg%3D%3D&enc=t#">http://www.salive.com/mprot2.html?v=1&ui=0&spid=mcafee&px=000800000000000000000000000000000000&c=0x821&url=2RYXRrK9YAOqKU0G8LVTS4HB%2BI83e7Oi&vascheme=com.wsandroid.suite&sabp=true&langcode=enUS&lksu=2RYXRrK9YAaNuGgMTPebqRFBVEM0gqIkolCJFeYHVin2OYs33qsYmg%3D%3D&enc=t#

Workaround

Deactivation of the Secure Browsing option.

Suggested Mitigation

Introduce some sanitizer which will prevent JavaScript in URL or filter URL appending and show only the base URL as string.

Timeline

  • 2015-11-25 Vulnerability Discovered
  • 2015-12-03 Vulnerability Reported
  • 2016-01-04 Vulnerability Fixed