Vulnerabilities > CVE-2017-15643 - HTTP Request Smuggling vulnerability in Ikarussecurity Ikarus Antivirus 2.16.7

047910
CVSS 7.4 - HIGH
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
ikarussecurity
CWE-444
exploit available

Summary

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. The attacker first forces the client to initiate an update transaction by modifying an update field within an HTTP 200 response, so that it refers to a nonexistent update. The attacker then modifies the HTTP 404 response so that it specifies a successfully found update, with a Trojan horse executable file (e.g., guardxup.exe) and the correct CRC32 checksum for that file.

Vulnerable Configurations

Part Description Count
Application
Ikarussecurity
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • HTTP Request Splitting
    HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
  • HTTP Request Smuggling
    HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.

Exploit-Db

descriptionIkraus Anti Virus 2.16.7 - Remote Code Execution. CVE-2017-15643. Remote exploit for Windows platform
idEDB-ID:44055
last seen2018-02-15
modified2017-10-16
published2017-10-16
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44055/
titleIkraus Anti Virus 2.16.7 - Remote Code Execution

Seebug

bulletinFamilyexploit
description### Vulnerability summary The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7. KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by the award-winning IKARUS scan.engine. It is among the best in the world, detecting new and existing threats every day. ” ### Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ### Vendor Response Update 1 CVE: CVE-2017-15643 The vendor has released patches to address these vulnerabilities. For more information: https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/ ### Vulnerability details An active network attacker (MiTM) can achieve remote code execution on a machine that runs Ikraus Anti Virus. Ikarus AV for windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files. Also ikarus checks for a update version number which can be incremented to goad the process to update. The update process executable in ikarus called guardxup.exe guardxup.exe, send over port 80, the following request for update: ``` GET /cgi-bin/virusutilities.pl?A=7534ED66&B=6.1.1.0.11.1.256.7601&C=1005047.2013019.2001016.98727&F=4.5.2%3bO=0%3bSP=0&E=WD-194390-VU HTTP/1.1 Accept: */* User-Agent: virusutilities(6.1,0,1005047) Host: updates.ikarus.at Connection: close ``` The server will respond with: ``` HTTP/1.1 200 OK Date: Sun, 23 Oct 2016 04:51:05 GMT Server: Apache/2.4.10 (Debian) mod_perl/2.0.9dev Perl/v5.20.2 Content-Disposition: inline; filename=virusutilities Content-Length: 306 Connection: close Content-Type: text/plain; charset=ISO-8859-1 <url> full http://mirror04.ikarus.at/updates/ diff http://mirror06.ikarus.at/updates/ </url> <up> antispam_w64 001000076 antispam 001000076 update 001005047 virusutilities 002013019 t3modul_w64 002001016 t3modul 002001016 sdb 000007074 t3sigs 000098727 </up> <dependence> t3modul </dependence> ``` Through the proxy we will modify the response and add 1 to the ‘update’ value and forward the response to the client. Then the client will request the update via this url: http://mirror04.ikarus.at/updates/guardxup001005048.full The ikarus server will respond with a 404: ``` HTTP/1.1 404 Not Found Server: nginx/1.6.2 Date: Sun, 23 Oct 2016 04:53:05 GMT Content-Type: text/html Content-Length: 168 Connection: close <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.6.2</center> </body> </html> ``` But we will modify the response with a IKUP format: ``` Bytes: 0x0 - 0x3 == IKUP # header Bytes: 0x4 - 0x7 == 0x0s Bytes: 0x8 == 0x3C # pointer to start of PE EXE MZ header Bytes: 0x20 - 0x23 == update value in little endian (script fixes it up) Bytes: 0x24 - 0x27 == crc32 checksum (script populates from provided binary) Bytes: 0x28 -> pointer to MZ header == 0x0s Bytes: 'pointer to MZ header' -> ? == appended exe ``` Then we will forward to the update to the client, where it replaces guardxup.exe with our executable. ### Proof of concept Please install mitmproxy 0.17 – pip install mitmproxy==0.17 To use this script, you’ll need to MITM port 80 traffic from the client for use with a transparent proxy. Set your firewall rules to intercept 80 traffic on port 8080: ``` sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 ``` and execute the script as follows: ./poc.py file_to_deploy.exe
idSSV:96779
last seen2017-11-19
modified2017-10-24
published2017-10-24
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-96779
titleIkraus Anti Virus Remote Code Execution(CVE-2017-15643)