exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

F-Secure AV Man-In-The-Middle

F-Secure AV Man-In-The-Middle
Posted Mar 10, 2017
Authored by Martin Kolarik

F-Secure AV suffers from an issue where remote code execution under SYSTEM can take place due to a man-in-the-middle vulnerability.

tags | advisory, remote, code execution
advisories | CVE-2016-9892
SHA-256 | c573c0561d7186ee1f6213ffb825479e8678f2c6a81ffc7ed854bfd47db8d5f9

F-Secure AV Man-In-The-Middle

Change Mirror Download
CVE-2017-6466 - Remote Code Execution under SYSTEM via MITM in F-Secure AV

Title: Remote Code Execution under SYSTEM via MITM in F-Secure AV
CVE: CVE-2016-9892
Vendor: F-Secure
Product: All products that include the software updater component
Publication Date: 2017-03-08
Fix: Not available - the vendor does not see this as a security problem
Discoverer: Martin Kolarik (@MaKolarik)

Software Updater is a component used to download and install updates for
operating system and many 3rd party software products (a complete list can
found at
It downloads installation packages over HTTP protocol, with little or no
verification after downloading, and subsequently executes them under SYSTEM
account. This allows a remote attacker who can modify the packages during
downloading to gain a complete control of a target system.

Technical details
Software Updater can be configured in two ways:
a) Manual installation (default). System administrator logged into
F-Secure Policy Manager Console can inspect a list of all available
updates for managed computers, and select which updates will be
installed. In this case, there is absolutely no verification after
downloading and packages can be replaced with any executable.

b) Automatic installation. Updates are downloaded and installed
automatically when they become available. In this case, an option to
only install signed packages is on by default. If this option is on,
packages without signature are not installed automatically; instead,
the installation command has to be issued manually from the Policy
Manager Console (as if auto-updates were not enabled at all). Since
not all vendors sign their packages, it is also possible to turn
this verification off via Policy Manager Console.

Even allowing only signed packages does not provide almost any
protection, because the only thing Software Updater checks is if the
package has a signature. It does not check by whom it was signed, nor
when it was signed, so it is possible to replace it with any other
executable, as long as it is also signed. In case the attacker is not
able to sign their own code directly, they can use this vulnerability
to install any publicly available software signed by its vendor, and
subsequently exploit a vulnerability in that software instead.
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By