[<prev] [next>] [day] [month] [year] [list]
Message-ID: <KLHv0an--3-0@tutanota.com>
Date: Mon, 27 Jun 2016 18:33:15 +0100 (BST)
From: <thedeadcow@...anota.com>
To: Fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Aramadito remote arbitrary file write in case of MiTM
Armadito (https://github.com/armadito) is a cross-platform open-source
antivirus, that was originally the DAVFI project, financed through a french
government program.
As a security product supposed to protect computers against malware, its
update system fails at multiple points:
* the public key used to check update packages is retrieved using plain HTTP.
The same goes for the packages themselves.
* if Armadito can't download this public key, a bug makes it consider any
file it checks as valid (you don't even need to forge a signature)
* a vulnerability as old as the General de Gaulle (path traversal) then
allows to download a controlled URL to an arbitrary path
All this allows someone in control of DNS answers or more generally in a MiTM
position to write arbitrary files when the update process is performed. It
also allows the editor to do it if they want (but db.armadito.org does not
seem to work at the time of writing this email). A simple python HTTP server
is attached to this mail as a proof-of-concept.
This happens in the ArmaditoSvc tool using the "--updatedb" flag. The
documentation doesn't specify if this should run as an administrator or not.
Here is an example of the output of this tool when a potential MiTM is
performed:
===========
C:\tmp\armadito>type ..\cow.txt
File specified not found.
C:\tmp\armadito>ArmaditoSvc.exe --updatedb
---------------------------------
----- Armadito Scan service -----
---------------------------------
[+] Debug :: UpdateModulesDB :: description file downloaded successfully!
[+] Debug :: UpdateModulesDB :: signature file downloaded successfully!
armadito[4624]: <error> [-] Error :: download_pub_key ::
URLDownloadToCacheFileA failed :: error = 0x800c0006
armadito[4624]: <error> [-] Error :: verify_file_signature :: Can't download
public key from armadito server!
armadito[4624]: <error> [-] Error :: verify_file_signature :: Crypt Destroy
Key failed! :: GLE = 0x57
[+] Debug :: UpdateModulesDB :: File Signature verified successfully !
[-] Error :: GetFileContent :: Opening the file failed! :: error = 3
[+] Debug :: DownloadPackageFiles :: Downloading file from ::
http://127.0.0.1/cow....
[+] Debug :: DownloadPackageFiles :: cache filename =
XX\AppData\Local\Microsoft\Windows\INetCache\IE\3YTFPC0U\cow[1].htm
[+] Debug :: ConvertBytesToChar :: string = 4dc9a4320e79db56894c037f27d5dc0a
[+] Debug :: DownloadPackageFiles :: checksum =
4dc9a4320e79db56894c037f27d5dc0a
[-] Warning :: no notify handler! :: call a6o_notify_set_handler first
[+] Debug :: UpdateModulesDB :: Armadito service suspended successfully!
[+] Debug :: get_db_module_path :: completePath =
C:\tmp\armadito\modules\DB\..\..\..\..\..\..\..\..\..\..\..\tmp\cow.txt
Conf_file = C:\tmp\armadito\conf\armadito.conf [+] Debug ::
init_configuration :: conf file = C:\tmp\armadito\conf\armadito.conf
armadito[4624]: <warning> cannot open conf file
C:\tmp\armadito\conf\armadito.conf
[+] Debug :: Configuration loaded successfully!
[+] Debug :: Armadito structure loaded successfully!
armadito[4624]: <error> [-] Error :: FilterConnectCommunicationPort() failed
:: errcode = 0x80070002
armadito[4624]: <error> Scan Thread initialization failed!
armadito[4624]: <error> Service loaded with errors during pause.
[+] Debug :: UpdateModulesDB :: Armadito service resumed successfully!
armadito[4624]: <error> [-] Error :: SaveHashInCacheFile :: Creating the
cache file failed! :: error = 3
[+] Debug :: UpdateModulesDB :: Modules Database updated successfully!
[-] Warning :: no notify handler! :: call a6o_notify_set_handler first
C:\tmp\armadito>type ..\cow.txt
put_your_dead_cow_here
==============
This is an irresponsible disclosure due to irresponsible spending of the
French people's money.
The Dead Cow.
View attachment "serv.py" of type "text/x-python" (870 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists