Security researchers part of the Vulnerability Lab have identified a medium severity software filter and validation vulnerability that affects Kaspersky’s Password Manager 18.104.22.168 and older variants.
According to the experts, the flaw allows a local attacker to inject malicious code during the exportation process of a database.
“The vulnerability is located in the validation of the html/xml export function/module & the bound vulnerable name, domain, url, comment (listing) parameters,” reads the advisory published by Vulnerability Lab.
“URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser.”
If exploited successfully, the vulnerability can be leveraged to persistently manipulate the application, phishing, the execution of malware, and even for stealing the victim’s passwords in clear text. All these operations require only medium interaction on the user’s side.
The researchers also provide an example of an exploitation scenario in which the attacker sends the victim a cleverly crafted login page with a specific code in the URL’s parameters.
The unsuspecting Kaspersky Password Manager customer saves the malicious login page to the application via the AutoFill plugin.
Later, when the victim attempts to export the file in HTML format using the standard template, the malicious script is executed and the content of the file is sent back to the server owned by the attacker.
For the time being, the issue remains unaddressed. As a solution that should be implemented by the vendor, the researchers recommend the use of XML special characters in item names in the exportation of content as an HTML file.
Here is the proof-of-concept video published by the experts to demonstrate their findings.