Avast X.509 Certificate CommonName Remote Code Execution Vulnerability

vendor:

Avast Antivirus

by:

Google Security Research

9,3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Avast Antivirus

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

Avast X.509 Certificate CommonName Remote Code Execution Vulnerability

Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. This means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.

Mitigation:

Upgrade to the latest version of Avast to patch this vulnerability.

Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=546

Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.

To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:

$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443

Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38384.zip