verlass / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Avast Antivirus: X.509 Error Rendering Command Execution #546

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Avast will render the commonName of X.509 certificates into an HTMLLayout frame 
when your MITM proxy detects a bad signature. Unbelievably, this means 
CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into 
remote code execution.

To verify this bug, I've attached a demo certificate for you. Please find 
attached key.pem, cert.pem and cert.der. Run this command to serve it from a 
machine with openssl:

$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443

Then visit that https server from a machine with Avast installed. Click the 
message that appears to demonstrate launching calc.exe.

Thanks, Tavis.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by tav...@google.com on 25 Sep 2015 at 2:43

GoogleCodeExporter commented 9 years ago
Attaching testcases.

Original comment by tav...@google.com on 25 Sep 2015 at 2:56

Attachments:

GoogleCodeExporter commented 9 years ago
Screenshot for reference.

Original comment by tav...@google.com on 25 Sep 2015 at 6:14

Attachments:

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Avast are currently planning to push an update for this issue today.

Original comment by tav...@google.com on 30 Sep 2015 at 5:29

GoogleCodeExporter commented 9 years ago
The patch for this issue is live, removing view restrictions.

Original comment by tav...@google.com on 1 Oct 2015 at 5:05