Avast! AntiVirus – X.509 Error Rendering Command Execution

• Exploit Database
• 25 阅读

• 作者： Google Security Research
  日期： 2015-10-02
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38384/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=546
  
  Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.
  
  To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:
  
  $ sudo openssl s_server -key key.pem -cert cert.pem -accept 443
  
  Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38384.zip