Kaspersky – Unvalidated redirection flaw exploitable to serve malware

Pierluigi Paganini August 23, 2013

The cyber Security Analyst Consultant at Q-CERT Ebrahim Hegazy has found an “Unvalidated Redirection Vulnerability” in the website of the giant security solutions vendor “Kaspersky”.

Ebrahim Hegazy (@Zigoo0) has found an “Unvalidated Redirection Vulnerability” in the website of the giant security solutions vendor “Kaspersky”.
Ebrahim Hegazy is the cyber Security Analyst Consultant at Q-CERT who found a SQL Injection in “Avira” website last month, this time he found a Unvalidated Redirection Vulnerability that could be exploited for various purposes such as:
  • Cloned websites (Phishing pages)
  • It could also be used by Black Hats for Malware spreading
In the specific case what is very striking is that the link usable for the attacks is originated by a security firm like Kasperky with serious consequences.
Would you trust a link from your security vendor? Absolutely Yes!
But imagine your security vendor is asking you to download a malware!
To explain how dangerous the situation is when your security vendor is vulnerable, Ebrahim Hegazy sent me a video explaining the malware spreading scenario to simulate a Black Hat’s exploiting Unvalidated Redirection Vulnerability in Kaspersky website to serve a malware.
Unvalidated redirection on Kaspersky
“Since I’m working on Cyber security analysis, I’ve seen many methods of black-hats to spread links, maybe this link is for Exploit kits, Java Applet, flash exploits, or maybe a direct link to their EXE file. Let’s take an example on the Facebook spreading techniques of the attackers, you may notice that “Mediafire” website was used lately in wide Malware spreading attack on Facebook.com,Which caused a wide infection, as the infected user will start to send links from Mediafire.com to his friends and since “Mediafire” is a trusted website/source  for users so they simply click it and download the file!

But what if the links are coming from a very well known Security solutions vendor such as Kaspersky? For sure people will trust the links. So, through “Unvalidated Redirection Vulnerability” in Kaspersky, attackers will be able to spread a link coming from Kaspersky.com but when the user clicks on that link, he will get redirected to the attacker’s website which would download at Malware on their machines or even download a “Rogue Antivirus” to steal financial information such as credit card information!” explained Ebrahim Hegazy.

After the researcher reported the vulnerability to Kaspersky team, it took about 2 months to fix the vulnerability, it is really a long time considering that if a hacker had found this flaw before Hagazy he could spread links using Kaspersky.com.

The consequences of unfixing of such vulnerability are critical

  • Wide infection – since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to Kaspersky.com
  • Very bad reputation for Kaspersky company.
  • Your most trusted resource “Your Antivirus” will be your worst enemy! Would you trust anything else!
And many other consequences.
The vulnerability was reported to Kaspersky web-team and is now fixed.

Pierluigi Paganini

(Security Affairs – Poison Ivy , cybercrime, cyberespionage)



you might also like

leave a comment