Avast Antivirus X.509 Error Rendering Command Execution

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1041170 漏洞类型
发布时间 2015-10-02 更新时间 2015-10-02
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2015100017
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.

To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:

$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443

Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.

PoC:
https://code.google.com/p/google-security-research/issues/detail?id=546

Thanks, Tavis.