A recent investigation by vulnerability testing specialists at security firm SafeBreach Labs has revealed the presence of a critical vulnerability in the Avira 2019 antivirus tool software. Tracked as CVE-2019-17449, this vulnerability could have been used to evade target system defenses, gain persistence, and perform privilege escalations by loading an arbitrary dynamic link library (DLL) without a digital certificate.
Experts tested the Avira ServiceHost service,
which is the Avira Launcher service. This is a signed process that runs as NT
AUTHORITY/SYSTEM and is the first part of the program installed after the user
double-clicks the installer, making it a popular piece of software.
According to vulnerability testing experts,
when it starts, Avira.ServiceHost.exe attempts to load the missing
Windtrust.dll library from its own directory:
Avira products typically restrict modifications
to any folder (such as adding or modifying files, etc.) using a mini filter
driver that applies a read-only policy to any user, including the system
administrator. Despite this restriction, specialists went ahead with the tests
to determine whether a modification was possible.
In their report, SafeBreach Labs vulnerability testing
specialists compiled an arbitrary x86 DLL that writes to the file name of a
text file as shown below:
- The
name of the process that loaded it - The
username that executed it - The
name of the DLL
Before restarting the computer, the experts
placed the file in the path C:-Program Files (x86)/Avira/Launcher/Wintrust.dll.
“We managed to load an arbitrary DLL and execute our code inside
Avira.ServiceHost.exe, which was signed by “Avira Operations GmbH &
Co. KG” and executed as NT AUTHORITY/SYSTEM”, the experts add.
It was also possible to replicate this process
to other Avira services, such as:
- Avira
System Speedup - Avira
Software Updater - Avira
Optimizer Host
Possible attack
scenarios
As discussed in the SafeBreach report,
vulnerability testing experts at the International Institute of Cyber Security
(IICS) raised at least three possible attacks:
- Self-defense evasion: Antivirus software usually has a self-defense mechanism that prevents threat actors from altering their processes and files, mainly thanks to the use of a mini filter driver. If exploited, this vulnerability would allow a hacker to bypass part of this mechanism and load an arbitrary DLL into the antivirus tool process
- Signed execution/Whitelist evasion: Exploiting this flaw a hacker could load and execute malicious payloads in the context of any company-signed process, allowing applications labeled as malicious, among other tasks to run, among other tasks
- Persistence Mechanism: If exploited, this vulnerability gives hackers the ability to persistently upload and execute malicious payloads. In other words, when a threat actor delivers a malicious DLL, Avira services will load the malicious code every time the system restarts
The company was duly notified of the vulnerability. In response to the presence of this flaw, Avira has released an update of its Windows services, which consists of an additional layer of security.
Avira has rolled out an update to its Windows’s services as a security improvement. The update adds a layer of security after an issue was identified and reported to Avira by SafeBreach.
The scenario shows that a default OS and
product installation would require Administrator privileges to place the
malicious DLL File. If one already has admin rights he would gain no
new privileges or could simply modify
Avira binary or Windows’s to skip all signature checks. So there is no
actual privilege escalation.
As part of the automatic daily update,
users are automatically served with the latest variant within minutes
after starting up their system and at least every two hours afterwards.
Tests by the Avira development team
have since confirmed that the security update has been effectively
distributed to our users.
Avira believes the issue can’t be classified as CVE – therefore, this CVE has already been disputed at MITRE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17449).
