Security experts at SafeBreach Labs discovered flaws in Avast, AVG, and Avira Antivirus that could be exploited by an attacker to load a malicious DLL file to bypass defenses and escalate privileges.
A vulnerability in all versions of Avast Antivirus and AVG Antivirus, tracked as CVE-2019-17093, could be exploited by an attacker with administrative privileges to bypass security defense, self-defense bypass, escalate privilege and gain persistence.
“this vulnerability could have been used in order to achieve self-defense bypass, defense evasion, persistence and privilege escalation.” reads the analysis published by SafeBreach Labs “Particularly, we will show that it was possible to load an arbitrary unsigned DLL into multiple processes that run as NT AUTHORITY\SYSTEM, even using Protected Process Light (PPL).”
The attacker could trigger the issue to load a malicious unsigned DLL into multiple processes that run as NT AUTHORITY\SYSTEM.
The experts discovered that that the AVGSvc.exe process, an AM-PPL (Anti-Malware Protected Process Light) that run as a signed process and as NT AUTHORITY\SYSTEM, attempt to load the wbemcomn.dll at
The Antivirus implements a self-defense mechanism that prevents malicious code to write and implant a DLL to its folders.
The self-defense mechanism can be bypassed by writing a DLL file to an unprotected folder from which the application loads components.
“If we can implant an unsigned DLL in an unprotected folder, this can lead to
“Loading unsigned code into an AM-PPL is generally not allowed, because of the code integrity mechanism. Any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate.
The vulnerability affects all editions of Avast Antivirus and AVG Antivirus below version 19.8. AVG is a subsidiary of Avast, the company released security updates to address the flaw on September 26.
The experts discovered a similar vulnerability in Avira Antivirus 2019 tracked as CVE-2019-17449.
“the CVE-2019-17449 vulnerability could have been used in order to achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into multiple signed processes that run as NT AUTHORITY\SYSTEM.” reads the analysis published by the experts.
“In order to exploit this vulnerability the attacker needs to have Administrator privileges.”
The experts targeted the Avira Launcher service, Avira
The researchers were able to execute code within Avira
Below the root causes the vulnerabilities.
“No digital certificate validation is made against this specific binary. The program does validate whether different DLL files which it is
“The AV has no self-protection for the Launcher folder.
As I mentioned before, different AVs protect their own folders from this kind of attack using a mini- driver which restricts any change to the directory of the AV.”
The experts reported the vulnerability to Avira on July 22 that addressed it on September 18.