Experts found DLL Hijacking issues in Avast, AVG, and Avira solutions

Pierluigi Paganini October 23, 2019

Flaws in Avast, AVG, and Avira Antivirus could be exploited by an attacker to load a malicious DLL file to bypass defenses and escalate privileges.

Security experts at SafeBreach Labs discovered flaws in Avast, AVG, and Avira Antivirus that could be exploited by an attacker to load a malicious DLL file to bypass defenses and escalate privileges.

A vulnerability in all versions of Avast Antivirus and AVG Antivirus, tracked as CVE-2019-17093, could be exploited by an attacker with administrative privileges to bypass security defense, self-defense bypass, escalate privilege and gain persistence.

“this vulnerability could have been used in order to achieve self-defense bypass, defense evasion, persistence and privilege escalation.” reads the analysis published by SafeBreach Labs “Particularly, we will show that it was possible to load an arbitrary unsigned DLL into multiple processes that run as NT AUTHORITY\SYSTEM, even using Protected Process Light (PPL).”

The attacker could trigger the issue to load a malicious unsigned DLL into multiple processes that run as NT AUTHORITY\SYSTEM.

The experts discovered that that the AVGSvc.exe process, an AM-PPL (Anti-Malware Protected Process Light) that run as a signed process and as NT AUTHORITY\SYSTEM, attempt to load the wbemcomn.dll at start from the folder C:\Windows\System32\wbem\wbemcomn.dll. The experts pointed out that the library is not in the above folder, instead, it is stored in the System32 folder.

The Antivirus implements a self-defense mechanism that prevents malicious code to write and implant a DLL to its folders.

The self-defense mechanism can be bypassed by writing a DLL file to an unprotected folder from which the application loads components.

“If we can implant an unsigned DLL in an unprotected folder, this can lead to self-defense bypass.” continues the experts.

“Loading unsigned code into an AM-PPL is generally not allowed, because of the code integrity mechanism. Any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate.

SafeBreach Labs experts compiled an unsigned proxy DLL out of the original wbemcomn.dll, then placed the DLL in C:\Program Files\System32\, allowing to load it with SYSTEM privileges.

The vulnerability allows the attackers to load and execute malicious payloads using multiple signed services, within the context of AVG / Avast signed processes. This trick could allow hackers to evade detection.

The vulnerability affects all editions of Avast Antivirus and AVG Antivirus below version 19.8. AVG is a subsidiary of Avast, the company released security updates to address the flaw on September 26.

The experts discovered a similar vulnerability in Avira Antivirus 2019 tracked as CVE-2019-17449.

“the CVE-2019-17449 vulnerability could have been used in order to achieve defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into multiple signed processes that run as NT AUTHORITY\SYSTEM.” reads the analysis published by the experts.

“In order to exploit this vulnerability the attacker needs to have Administrator privileges.”

The experts targeted the Avira Launcher service, Avira ServiceHost service, that once started will attempt to load a library from the wrong path.

The researchers were able to execute code within Avira.ServiceHost.exe by storing a specially-crafted DLL this path. The same issue affects the Avira System Speedup, Avira Software Updater, and Avira Optimizer Host processes.

Below the root causes the vulnerabilities.

No digital certificate validation is made against this specific binary. The program does validate whether different DLL files which it is loading are signed, but when it imports the Wintrust.dll library, it doesn’t validate it (because it relies on the WinVerifyTrust function which is inside the DLL and is not loaded yet). Therefore, it can load an arbitrary unsigned DLL. continues the analysis.

The AV has no self-protection for the Launcher folder.
As I mentioned before, different AVs protect their own folders from this kind of attack using a mini- driver which restricts any change to the directory of the AV.”

The experts reported the vulnerability to Avira on July 22 that addressed it on September 18.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Avast, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment