Armadito (http://ift.tt/1UJyPma) is a cross-platform open-source antivirus, that was originally the DAVFI project, financed through a french government program. As a security product supposed to protect computers against malware, its update system fails at multiple points: * the public key used to check update packages is retrieved using plain HTTP. The same goes for the packages themselves. * if Armadito can't download this public key, a bug makes it consider any file it checks as valid (you don't even need to forge a signature) * a vulnerability as old as the General de Gaulle (path traversal) then allows to download a controlled URL to an arbitrary path All this allows someone in control of DNS answers or more generally in a MiTM position to write arbitrary files when the update process is performed. It also allows the editor to do it if they want (but db.armadito.org does not seem to work at the time of writing this email). A simple python HTTP server is attached to this mail as a proof-of-concept. This happens in the ArmaditoSvc tool using the "--updatedb" flag. The documentation doesn't specify if this should run as an administrator or not. Here is an example of the output of this tool when a potential MiTM is performed: =========== C:\tmp\armadito>type ..\cow.txt File specified not found. C:\tmp\armadito>ArmaditoSvc.exe --updatedb
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment