Avast Antivirus: X.509 Error Rendering Command Execution

[GoogleCodeExporter]

Avast will render the commonName of X.509 certificates into an HTMLLayout frame 
when your MITM proxy detects a bad signature. Unbelievably, this means 
CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into 
remote code execution.

To verify this bug, I've attached a demo certificate for you. Please find 
attached key.pem, cert.pem and cert.der. Run this command to serve it from a 
machine with openssl:

$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443

Then visit that https server from a machine with Avast installed. Click the 
message that appears to demonstrate launching calc.exe.

Thanks, Tavis.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 25 Sep 2015 at 2:43

[GoogleCodeExporter]

Attaching testcases.

Original comment by tav...@google.com on 25 Sep 2015 at 2:56

Attachments:

• cert.der
• cert.pem
• key.pem

[GoogleCodeExporter]

Screenshot for reference.

Original comment by tav...@google.com on 25 Sep 2015 at 6:14

Attachments:

• Avast-2015-09-25-11-02-34.png

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Avast are currently planning to push an update for this issue today.

Original comment by tav...@google.com on 30 Sep 2015 at 5:29

[GoogleCodeExporter]

The patch for this issue is live, removing view restrictions.

Original comment by tav...@google.com on 1 Oct 2015 at 5:05

• Removed labels: Restrict-View-Commit