A recent investigation by vulnerability testing specialists at security firm SafeBreach Labs has revealed the presence of a critical vulnerability in the Avira 2019 antivirus tool software. Tracked as CVE-2019-17449, this vulnerability could have been used to evade target system defenses, gain persistence, and perform privilege escalations by loading an arbitrary dynamic link library (DLL) without a digital certificate.
Experts tested the Avira ServiceHost service, which is the Avira Launcher service. This is a signed process that runs as NT AUTHORITY/SYSTEM and is the first part of the program installed after the user double-clicks the installer, making it a popular piece of software.
According to vulnerability testing experts, when it starts, Avira.ServiceHost.exe attempts to load the missing Windtrust.dll library from its own directory:
Avira products typically restrict modifications to any folder (such as adding or modifying files, etc.) using a mini filter driver that applies a read-only policy to any user, including the system administrator. Despite this restriction, specialists went ahead with the tests to determine whether a modification was possible.
In their report, SafeBreach Labs vulnerability testing specialists compiled an arbitrary x86 DLL that writes to the file name of a text file as shown below:
- The name of the process that loaded it
- The username that executed it
- The name of the DLL
Before restarting the computer, the experts placed the file in the path C:-Program Files (x86)/Avira/Launcher/Wintrust.dll. “We managed to load an arbitrary DLL and execute our code inside Avira.ServiceHost.exe, which was signed by “Avira Operations GmbH & Co. KG” and executed as NT AUTHORITY/SYSTEM”, the experts add.
It was also possible to replicate this process to other Avira services, such as:
- Avira System Speedup
- Avira Software Updater
- Avira Optimizer Host
Possible attack scenarios
As discussed in the SafeBreach report, vulnerability testing experts at the International Institute of Cyber Security (IICS) raised at least three possible attacks:
- Self-defense evasion: Antivirus software usually has a self-defense mechanism that prevents threat actors from altering their processes and files, mainly thanks to the use of a mini filter driver. If exploited, this vulnerability would allow a hacker to bypass part of this mechanism and load an arbitrary DLL into the antivirus tool process
- Signed execution/Whitelist evasion: Exploiting this flaw a hacker could load and execute malicious payloads in the context of any company-signed process, allowing applications labeled as malicious, among other tasks to run, among other tasks
- Persistence Mechanism: If exploited, this vulnerability gives hackers the ability to persistently upload and execute malicious payloads. In other words, when a threat actor delivers a malicious DLL, Avira services will load the malicious code every time the system restarts
The company was duly notified of the vulnerability. In response to the presence of this flaw, Avira has released an update of its Windows services, which consists of an additional layer of security.
Avira has rolled out an update to its Windows’s services as a security improvement. The update adds a layer of security after an issue was identified and reported to Avira by SafeBreach.
The scenario shows that a default OS and product installation would require Administrator privileges to place the malicious DLL File. If one already has admin rights he would gain no new privileges or could simply modify Avira binary or Windows’s to skip all signature checks. So there is no actual privilege escalation.
As part of the automatic daily update, users are automatically served with the latest variant within minutes after starting up their system and at least every two hours afterwards. Tests by the Avira development team have since confirmed that the security update has been effectively distributed to our users.
Avira believes the issue can’t be classified as CVE – therefore, this CVE has already been disputed at MITRE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17449).