Security

Hacking the antivirus: BitDefender remote code execution vulnerability

What happens when the very antivirus designed to keep you and your organization safe becomes a threat vector for the attackers to exploit?

Yesterday, I broke the news story on Bleeping Computer about a remote code execution vulnerability which was recently discovered and disclosed by security researcher and blogger Wladimir Palant.

Palant explained how the vulnerability, CVE-2020-8102, impacted BitDefender versions up until the one released recently: “An automatic update to product version 24.0.20.116 or later fixes the issue,” stated the company in an advisory.

Vulnerability Identifier: CVE-2020-8102
Date disclosed: June 22nd, 2020
Impacted components: Bitdefender Safepay
CVSS Score: 8.8
CVSS 3 Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The vulnerability when successfully exploited can let attackers execute remote code on a Bitdefender user’s machine from any malicious website they control!

Vulnerability origins

Like many leading antivirus products and in an effort to provide overall system security, BitDefender acts as a Man-in-the-Middle (MitM) proxy intercepting and inspecting encrypted HTTPS connections.

Most of these products have a component geared towards online security, referred to by Safe Browsing, Safe Search, Web Shield, etc.

The vulnerability stems from the fact how BitDefender handles SSL certificates. When an invalid SSL certificate is presented by a website, most modern browsers let the user decide: to accept the certificate at their risk, or to navigate away. Likewise, BitDefender in an effort to offer safer browsing experience to users, provides its customized version of such a webpage:

Invalid certificate error page generated by Bitdefender
Source: Wladimir Palant

If a user still ignores HSTS warnings and continue to access the website at their own risk, that often poses no issues.

But, a key finding here, as Palant pointed out, is the URL itself within the address bar of the web browser remains constant. This causes Bitdefender Safepay to share security tokens between that (potentially malicious) page and any other website hosted on the same server and being accessed within Bitdefender’s Safepay virtual browsing environment.

Shared session tokens

Ideally these session tokens should not be shared between websites.

“The URL in the browser’s address bar doesn’t change. So as far as the browser is concerned, this error page originated at the web server and there is no reason why other web pages from the same server shouldn’t be able to access it. Whatever security tokens are contained within it, websites can read them out – an issue we’ve seen in Kaspersky products before,” Palant stated in his report.

Palant was able to verify this behavior by running a PoC. He setup a local web server and accessed it via Safepay. Initially, the server was designed to present a valid SSL certificate, but switching to an invalid one shortly after.

Once the certificate was switched to an invalid one, an AJAX request was made to download the SSL error page. Now, the same-origin policy in any web browser would naturally allow this request if it felt the same-origin was maintained, and so did Bitdefender Safepay.

“This allowed loading a malicious page in the browser, switching to an invalid certificate then and using XMLHttpRequest to download the resulting error page. This being a same-origin request, the browser will not stop you. In that page you would have the code behind the ‘I understand the risks’ link,” Palant explained.

The security tokens injected during a website by Bitdefender Safepay
Source: Wladimir Palant

These “security tokens” are hardcoded values that don’t change during a session; which is alright, but the same tokens are shared between different websites due to this bug, which is a problem.

Additionally, Safe Search and Safe Banking features of the component don’t implement any further protections, “As it turns out, all functionality uses the same BDNDSS_B67EA559F21B487F861FDA8A44F01C50 and BDNDCA_BBACF84D61A04F9AA66019A14B035478 values, but Safe Search and Safe Banking don’t implement any additional protection beyond that,” said Palant.

Remote code execution

This means, if a victim is tricked into accessing an attacker-controlled website via Safepay, the attacker can now have visibility into these tokens. And because these tokens are shared between the “isolated” banking websites accessed during a session, the attacker now has the ability to compromise those sensitive websites running in the same Bitdefender Safepay browser session.

But it doesn’t stop here. the attacker-controlled site can abuse the same token functionality to execute arbitrary code remotely on the victim’s machine, via a crafted AJAX request.

Script to perform remote code execution
Source: Palant

In just one example, Palant demonstrated how an AJAX request with a “data:” URI could be used to instruct the victim’s machine to launch a command prompt window running “whoami”:

Remote executable downloaded and executed
Source: Palant

Bitdefender has issued an automatic security update in version 24.0.20.116 and above to patch this vulnerability.

Yes, a fix has been released to safeguard affected users, but vulnerabilities like these pose a greater question: how secure are antivirus products themselves? In spite of best intentions, such as providing a secure browsing environment, what happened here certainly wouldn’t sit well with Bitdefender users.

Unless one is super-duper sure when playing Man-in-the-Middle (MitM), it is probably best to leave encrypted connections alone: just as they were meant to be.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.