Avast Antivirus: X.509 Error Rendering Command Execution #546
Description
Avast will render the commonName of X.509 certificates into an HTMLLayout frame
when your MITM proxy detects a bad signature. Unbelievably, this means
CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into
remote code execution.
To verify this bug, I've attached a demo certificate for you. Please find
attached key.pem, cert.pem and cert.der. Run this command to serve it from a
machine with openssl:
$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443
Then visit that https server from a machine with Avast installed. Click the
message that appears to demonstrate launching calc.exe.
Thanks, Tavis.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Original issue reported on code.google.com by tav...@google.com on 25 Sep 2015 at 2:43