Avast, DLL Hijacking Vulnerable Goods

Antivirus

SafeBreach Labs security researchers found that weakness in Avast Antivirus, AVG Antivirus and Avira Antivirus could help an attacker load a malicious DLL file to circumvent defenses and increase privileges.

Tracked under CVE-2019-17093 and affecting both Avast Antivirus and AVG Antivirus versions–the AVG branch and AVG main code-shared software–the first security flaw could be exploited to do what SafeBreach defines as self-defense bypass, defense evasion, persistence and privilege escalation.

Bug activity involves administration rights, but it could lead to multiple processes operating as NT AUTHORITY\SySTEM loading a malicious DLL.

The researchers have found that AVGSvc.exe, an AM-PPL, tries at first to load a DLL, but looks for the file from the wrong folder.

Due to anti-virus security systems, writing a DLL to one of the application’s files is even forbidden for administrators. But by writing a DLL file to an insecure directory, the program loads components from this self-defense mechanism.

“The loading of unsigned code into the AM-PPL is usually not allowed due to the requirement of code integrity. Non-Windows DLLs loaded into the safe system should be signed with a certificate, “explains SafeBreach Labs.

Security researchers have compiled an anonymous proxy DLL from the original to exploit the vulnerability. Then the DLL was put in C:\Program Files\System32\, where antivirus software searches for an identical DLL that caused the folder to be loaded with SYSTEM privileges.

“The vulnerability allows attackers to use multiple signed services to load and execute malicious payloads in the scope of AVG / Avast processes. This capacity may be exploited by an attacker for various purposes such as execution and avoidance, for example: the whitelisting bypass program, “explained security researchers.

The problem has affected both Avast Antivirus and AVG Antivirus versions under 19.8. On September 26, a patch was issued.

The researchers have found a similar problem in Avira Antivirus in 2019 and demonstrate that it can also lead to “security evasion, persistence and privilege escalation by loading arbitrary, unchecked DLL onto a set of signed processes running under NT AUTHORITY\SIDEM.” At the start of the process, the missing library is loaded from its own directory.

Through inserting their own DLL in Avira. ServiceHost.exe, the researchers were able to execute code. The Avira Application Speedup, Avira Program Updater and Avira Optimizer Host processes are the same as those available.

The researchers reported Avira’s weakness on 22 July, and the dealer told them that the problem had been resolved on 18 September. On October 10, MITRE issued CVE-2019-17449 for vulnerability.

Avira claims, however, that the vulnerability is not really useful to hackers, and has agreed to contest the CVE.

“The scenario shows that a default OS and brand setting would allow the malicious DLL file to be installed by Administrator privileges. If you have administrative rights already, you would not obtain any new privileges or just change Avira binary or Windows to bypass all signature checks. So there is no escalation of privilege, “Avira said in an emailed comment to SecurityWeek.

“Avira does not believe that the problem can be listed as CVE, so the CVE was already contested at MITRE,” added the security firm.

SafeBreach reported similar technology defects from different vendors, including HP, Dell, Forcepoint, Trend Micro, Bitdefender and Check Point, over the past months.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.