Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: toadlife on March 12, 2006, 07:05:56 AM

Title: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: toadlife on March 12, 2006, 07:05:56 AM
HI everyone,

I use Avast Home and noticed that upon installing Avast creates insecure permissions in the program directory that can allow any user to gain administrative access on the machine. Avast gives "BUILTIN\Everyone" full control of just about every file under the program directory. This includes the executables that are executed by the system as services. To gain admin access, a regular use need only replace the one of the Avast executables that run as a system service with a trojan, and reboot the machine.

I emailed to Avast support but got no reply.

You can fix this problem by resetting the permissions of the files under the avast program directory to the defaults, which only give regular users read-only rights.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: Lisandro on March 12, 2006, 10:11:40 AM
First of all, welcome and thanks for posting.
Maybe I'm wrong but this:

To gain admin access, a regular use need only replace the one of the Avast executables that run as a system service with a trojan, and reboot the machine.

cannot be done by a regular user, only an user with administrator rights could change that and, this one, could done almost everything as he has rights for...

Am I missing something?  ::)
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: igor on March 12, 2006, 12:17:21 PM
Yes, I can confirm the problem - it's an unfortune mistake regarding the file extraction (btw, if your TEMP folder is on a different drive than your avast! installation folder, you won't be affected).
The problem will be corrected in the next avast! update.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: RejZoR on March 12, 2006, 12:52:56 PM
But as far as i can tell avast! checks integrity of critical program files (i know coz i wanted to replace some icon and it warned me right away).
Haven't tested how it works after fresh boot...
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: Lisandro on March 12, 2006, 01:52:14 PM
Yes, I can confirm the problem - it's an unfortune mistake regarding the file extraction (btw, if your TEMP folder is on a different drive than your avast! installation folder, you won't be affected).
Why do other applications avoid changing the 'service' settings (at least, disabling or changing the executable)?

The problem will be corrected in the next avast! update.
It would be great that you do not wait that longer to make it...
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: mauserme on March 12, 2006, 09:34:44 PM
The problem will be corrected in the next avast! update.
It would be great that you do not wait that longer to make it...
Especially now that its been publicized.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: CharleyO on March 13, 2006, 12:03:11 AM
***

Welcome to the forums, toadlife.    :)

Thank you for posting this info. Hopefully, the Avast team will make a quick program update to fix this.   

Please come back often, learn more, and maybe help others.    :)


***
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: toadlife on March 13, 2006, 02:32:26 AM
The problem will be corrected in the next avast! update.
It would be great that you do not wait that longer to make it...
Especially now that its been publicized.

I wouldn't panic.

If you are a home user, and run as a regular user (I do), a peice of malware would have to specifically target Avast. As it is 98% of Windows users run as admin anyway, and malware assumes these permissions when it runs. The chances of this issue being exploited are very small IMO.

One place where I would be a little concerned is in business or educational settings (If this issue affects the pro version), where computers are locked down.  For example, at a school that uses Avast on it's lab computers an enterprising student could gain admin rights to a lab machine, or even a server depending on how things are set up.

To fix this issue:

If you are running Windows XP Pro:

1) Make sure simple file sharing is turned off.

To turn simple file sharing off, open up an Explorer window (My Computer will do), click on "folder options", click on the "view" tab and uncheck the box that says "Use Simple File Sharing". This will allow you to view file permissions for files and folder

2) Browse to your avast program directory (e.g. c:\program files\Alwil Software)
3) Right-click on the folder, select "properties" from the menu and then click on the "Security" tab
4) Click on the "Advanced" button
5) Click on the checkbox that says "Replace permission entries on all child objects with entries shown here that apply to child objects"
6) Click "Apply" and then "Yes" to the prompt

You may want to turn simple file sharing back on after you are done.

If you are running Windows XP Home:

1) Restart your computer and start Windows in "Safe Mode", by pressing F8 before Windows loads.
2) Log in as "Administrator" (You must log in as the built in administrator account to view file permissions in XP Home)
3) Browse to your avast program directory (e.g. c:\program files\Alwil Software)
4) Right-click on the folder, select "properties" from the menu and then click on the "Security" tab
5) Click on the "Advanced" button
6) Click on the checkbox that says "Replace permission entries on all child objects with entries shown here that apply to child objects"
7) Click "Apply" and then "Yes" to the prompt


For XP Home users, instead of starting in safe mode, you can also install the program "ACLView (http://www.nativecs.com/page.en.php?f=data/en/aclview.desc)". It allows you to modify file/folder permissions without having to start up in safe mode. I can't tell you how to reset the permission with ACLView though, because I've havn't actually used it.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: Lisandro on March 13, 2006, 02:46:06 AM
I wouldn't panic. To fix this issue
Worked like a charm. But, will the non-administrator users be able to update the virus database this way?
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: toadlife on March 13, 2006, 03:40:35 AM
I wouldn't panic. To fix this issue
Worked like a charm. But, will the non-administrator users be able to update the virus database this way?

Yes. AFAIK, everything should still work properly.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: mauserme on March 14, 2006, 01:09:46 AM
Thanks toadfile.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: crofty59 on March 21, 2006, 04:29:50 AM
Hi everyone.

This vunerability has now been reported at Secunia

http://secunia.com/advisories/19284/

Cheers
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: justin1278 on March 21, 2006, 07:32:54 PM
Good find toadlife,

Thank you for reporting this problem to Alwil now they can fix it and make avast! even better and more secure. If Symantec had this problem I would bet that they would not listen, or they would update it in the next major release (about once a year) and charge you money to upgrade it. That is IMHO.
Title: Re: Priviledge Escalation vulnerability caused by Avast 4.x
Post by: DavidR on March 21, 2006, 08:22:11 PM
Yes, a very good find toadlife.

Also one of the links from that Secunia page show avast isn't alone in this Privilege Escalation issue, thankfully Igor notes it will be corrected in the next avast update; toadlife give us a work around for those that feel it warrants it, thanks for your efforts.