Home / os / winmobile

Avira Free Antivirus DLL Hijacking

Posted on 31 August 2016

Hi @ll, Avira's free antivirus full package executable installers, avira_antivirus_en-us.exe, avira_antivirus_de-de.exe etc., available from <https://www.avira.com/en/download/product/avira-free-antivirus>, <https://www.avira.com/de/download/product/avira-free-antivirus> etc., have multiple vulnerabilities: 1. the full package executable installers (really: self- extracting RAR archives) extract their payload (the real installer) into the directory "%TEMP%RarSFX0" This directory is NOT protected against tampering, i.e. the extracted payload can be replaced by an unprivileged attacker who has access to the respective user account, or by malware already running under this user account. 2. after extraction the self-extractor starts the unpacked "%TEMP%RarSFX0presetup.exe" ELEVATED, eventually displaying an UAC prompt. An unprivileged attacker who modified "%TEMP%RarSFX0presetup.exe" between extraction and execution can trick the user to start a rogue program with administrative privileges. 3. "%TEMP%RarSFX0presetup.exe" loads multiple (system) DLLs from its application directory "%TEMP%RarSFX0", and starts several programs, for example "%TEMP%RarSFX0setup.exe". All these DLLs and programs are executed with administrative privileges too; an unprivileged attacker who (re)placed these files in "%TEMP%RarSFX0" gains escalation of privilege to "Administrator". 4. "%TEMP%RarSFX0setup.exe" installs several Windows services which run under the SYSTEM account. An unprivileged attacker who replaced the service executables in "%TEMP%RarSFX0" gains escalation of privilege to "SYSTEM". Proof of concept: ~~~~~~~~~~~~~~~~~ 1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and save them in your "Downloads" directory; 2. create the following batch script in an arbitrary directory: --- POC.CMD --- :WAIT_DLL @If Not Exist "%TEMP%RarSFX0" Goto :WAIT_DLL For %%! In (UXTheme Version DWMAPI) Do @Copy "%USERPROFILE%DownloadsSENTINEL.DLL" "%TEMP%RarSFX0\%%!.DLL" :WAIT_EXE @If Not Exist "%TEMP%RarSFX0setup.exe" Goto :WAIT_EXE Copy "%USERPROFILE%DownloadsSENTINEL.EXE" "%TEMP%RarSFX0setup.exe" --- EOF --- 3. download "avira_antivirus_en-us.exe" and save it in your "Downloads" directory; 4. start the batch script POC.CMD; 5. start the downloaded "avira_antivirus_en-us.exe" and notice the message boxes displayed from the DLLs and EXE placed in "%TEMP%RarSFX0" by POC.CMD PWNED! Mitigations: ~~~~~~~~~~~~ * Don't use executable installers! NEVER! * Don't use crapware which runs executables from unsafe directories like %TEMP%! * Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode it to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". stay tuned Stefan Kanthak PS: of course Avira's anti-virus has some more beginner's errors: outdated and vulnerable 3rd-party libraries! - libcurl.dll 7.39.0 the current version is 7.50.1, with MULTIPLE fixed vulnerabilties; see <https://curl.haxx.se/docs/vulnerabilities.html> - ssleay32.dll and libeay32.dll 1.0.2.5 from OpenSSL 1.0.2e the current version is 1.0.2h, with MULTIPLE fixed vulnerabilities; see <https://openssl.org/news/vulnerabilities.html> Timeline: ~~~~~~~~~ 2016-07-15 vulnerability report sent to vendor NO RESPONSE, not even an acknowledgement of receipt 2016-08-29 report published

 

TOP