This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass,” the security researchers explain. “The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of AVG / Avast signed processes.
#AVAST VS AVIRA SOFTWARE#
Next, they placed the DLL in C:Program FilesSystem32, where the antivirus software looks for a DLL with the same name, which resulted in the file being loaded with SYSTEM privileges. To exploit the vulnerability, the security researchers compiled an unsigned proxy DLL out of the original. Any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate,” SafeBreach Labs explains.
#AVAST VS AVIRA CODE#
“Loading unsigned code into an AM-PPL is generally not allowed, because of the code integrity mechanism. However, this self-defense mechanism can be bypassed by writing a DLL file to an unprotected folder from which the application loads components.
The researchers discovered that AVGSvc.exe, an AM-PPL (Anti-Malware Protected Process Light), tries to load a DLL at start, but it searches for the file in the wrong folder.ĭue to protection mechanisms inside antivirus applications, writing a DLL to one of the application’s folders if forbidden even to administrators. Tracked as CVE-2019-17093 and impacting all versions of Avast Antivirus and AVG Antivirus - AVG is a subsidiary of Avast and the applications share the core code - the first security flaw could be abused to achieve what SafeBreach describes as self-defense bypass, defense evasion, persistence and privilege escalation.Įxploitation of the bug requires administrative privileges, but could lead to loading a malicious DLL into multiple processes that run as NT AUTHORITYSYSTEM. Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered.
0 kommentar(er)
