SIK-2016-010


Title:

Remote Code Execution Kaspersky App

Report ID

SIK-2016-010

Summary:

Due to an unprotected HTTP connection in combination with a path traversal vulnerability, it is possible to remotely execute code in the Kaspersky appl

Details:

The Android app named “Kaspersky Internet Security” downloads advertisement information using unprotected HTTP connection (http://ipm.kaspersky.com/600eb07a-2926-4407-b014-d3e8c77b0086.zip and http://ipm.kaspersky.com/eeea9321-5eac-4709-9046-8475ee951c82.zip). The downloaded zip file contains some HTML and CSS files utilized for presenting advertisement information to the user.

Due to the unprotected HTTP connection, a n attacker located can manipulate the transmitted zip files using a man-in-the-middle attack. The Kaspersky Internet Security app extracts the content of the zip file(s) to /app_ipm/ folder within the app’s directory on the Android smartphone. If one of the (attacker manipulated) zip file(s), which has been automatically downloaded by the app, contains an additional or manipulated pdm.jar file, the file will be extracted by the app. To force the app to execute the manipulated pdm.jar file, the original pdm.jar file in the /app_bases/ folder has to be overwritten. In order to do this, the unzip (extraction) algorithm can be abused to perform path or directory traversing in order to store the extracted file in the attacker selected directory (/app_bases/ folder) in contrast to the designated directory (/app_ipm/ folder).

This is the case, if the zip file contains a file with the full name “../../../../../../../../../../../../../../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar”

The original pdm.jar in the /app_bases/ folder will be overwritten and the manipulated pdm.jar (contains .dex file) will be executed from the Kaspersky Internet Security app.

The man-in-the-middle attack was done with the help of a modified Wi-Fi access point running a transparent proxy. With additional equipment it is also thinkable to do such an attack on a GSM or UMTS data connection.

Depending on the target of the attacker he can abuse this for injecting additional code into the application. The injected code will run in the (sandboxed) context of the Kaspersky Internet Security app. But the Kaspersky Internet Security app has a magnitude of permissions and the executed code can thus use a wide range of API calls. The loaded code may also execute a root exploit to escalate privileges and to establish some root (remote) shell.

An additional (theoretical) scenario, an attacker may hijack the advertisement providing server and he may abuse it to spread (remote) code to all Kaspersky apps and establish a botnet.

Workaround

Avoid public or unknown Wi-Fi Hotspots (access points) or use them only through a trusted VPN connection.

Suggested Mitigation

Proposals of a vendor fix can be done using different approaches: (1) transfer the zip file(s) using a protected SSL (HTTPS) connection and/or (2) include the unprotected traffic to the integrity protection within the app (similar to the signature and root detection updates the app retrieves from Kaspersky’s servers).

Timeline

  • 2015-09-20 Vulnerability Discovered
  • 2015-09-29 Vulnerability Reported (1. Try, no reaction)
  • 2015-09-30 Vulnerability Reported (2. Try)
  • 2016-10-15 Vulnerability Fixed