Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: A. User on March 21, 2017, 11:41:01 PM

Title: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: A. User on March 21, 2017, 11:41:01 PM
More info here: LINK (https://www.bleepingcomputer.com/news/security/new-attack-uses-microsofts-application-verifier-to-hijack-antivirus-software/).
This is one more reason to bring back the Early Launch Antimalware (the security component that you removed for unknown reasons after acquiring AVG) which is a prerequisite for registering Avast service as a protected antimalware service.  :)


AVG has been patched, what about Avast?
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: bob3160 on March 22, 2017, 01:11:46 AM
Reported to Avast.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Charyb on March 22, 2017, 01:28:01 AM

This article shows that Protected Processes has been available for more than 3 years and that no antivirus other than Windows Defender is using it. I wonder why not?

http://cybellum.com/doubleagent-taking-full-control-antivirus/ (http://cybellum.com/doubleagent-taking-full-control-antivirus/)

Quote
Mitigation
Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Be Secure on March 22, 2017, 04:06:18 AM
Quote from:  link=topic=199290.msg1379809#msg1379809 date=1490136061
More info here: LINK (https://www.bleepingcomputer.com/news/security/new-attack-uses-microsofts-application-verifier-to-hijack-antivirus-software/).
This is one more reason to bring back the Early Launch Antimalware (the security component that you removed for unknown reasons after acquiring AVG) which is a prerequisite for registering Avast service as a protected antimalware service.  :)


AVG has been patched, what about Avast?
Detail

Code injection vulnerability in Avast Premier 12.3 (and earlier), Internet Security 12.3 (and earlier), Pro Antivirus 12.3 (and earlier), and Free Antivirus 12.3 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Avast process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.
https://hackertor.com/2017/03/21/na-cve-2017-5567-code-injection-vulnerability-in-avast-premier/ (https://hackertor.com/2017/03/21/na-cve-2017-5567-code-injection-vulnerability-in-avast-premier/)
http://www.security-database.com/detail.php?alert=CVE-2017-5567&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Last100Alerts+%28Security-Database+Alerts+Monitor+%3A+Last+100+Alerts%29 (http://www.security-database.com/detail.php?alert=CVE-2017-5567&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Last100Alerts+%28Security-Database+Alerts+Monitor+%3A+Last+100+Alerts%29)
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Be Secure on March 22, 2017, 07:59:15 AM
The proof-of-concept code he's referring to is available on GitHub.
https://github.com/Cybellum/DoubleAgent#installation (https://github.com/Cybellum/DoubleAgent#installation)
Any news form avast side?
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: l1901718@mvrht.com on March 22, 2017, 07:59:57 AM
So, that's a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: A. User on March 22, 2017, 08:55:46 AM
So, that's a feature MS introduced in Win 8.1. Does that mean that feature would not be available in Win 7 and so the Antivirus program will always be vulnerable? Anyone knows?
Maybe Microsoft will fix their part of the vulnerability and Avast their part. But for Avast to be protected service and Windows to block 3rd party injections into the process you will need ELAM, which is only available on Windows 8 and above. We really are the ones who need to push Avast to make their product better, i guess that otherwise they won't do anything.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Spec8472 on March 22, 2017, 11:23:43 AM
Only Avast 12.3 (and older) version is vulnerable.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Spec8472 on March 22, 2017, 11:30:01 AM
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Be Secure on March 22, 2017, 11:39:13 AM
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Asyn on March 22, 2017, 11:42:25 AM
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Be Secure on March 22, 2017, 11:44:37 AM
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
vulnerability is fixed in version 17??
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Asyn on March 22, 2017, 11:46:04 AM
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
vulnerability is fixed in version 17??
Yep.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Be Secure on March 22, 2017, 11:46:53 AM
Only Avast 12.3 (and older) version is vulnerable.
The tests were done on the latest version of the vendor on Windows 10 x64 using our POC code.
Spec is right, read here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5567

Technical details: https://forum.avast.com/index.php?topic=66267.msg1379910#msg1379910
vulnerability is fixed in version 17??
Yep.
Ok. :D
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: A. User on March 22, 2017, 02:56:21 PM
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
But how, you need to use Early Launch Antimalware in order to be able to specify AvastSvc.exe as a protected service. Maybe you mean that you have taken unofficial quirks to protect the service? AVG had an option for Early Launch Antimalware in the menu, and also had a driver in %SystemRoot%\ELAMBKUP named avgboota.sys. Every AV that utilizes ELAM needs to have a backup driver located there by specification and ELAM is a prerequisite for Protected Service. It is good to take every single technology to provide better protection, especially when other reputable providers actually do this. I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: DavidR on March 22, 2017, 03:13:26 PM
Quote from:  link=topic=199290.msg1379967#msg1379967 date=1490190981
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
<snip>
I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: A. User on March 22, 2017, 03:30:44 PM
Quote from:  link=topic=199290.msg1379967#msg1379967 date=1490190981
Also don't worry about anti malware processes, all our services are anti-malware processes in both Avast/Avg (starting version 17)
<snip>
I see that you use AMSI. You should use also ELAM with measured boot. Please clarify more for us, we just want to help.

I wonder how much clarification could be given in a publicly available forum, lest the information could be used to try and exploit that.
I'm not asking about implementation details or source code, i'm just asking them to tell me if they have implemented it (because i doubt it) in spite of the specification and requirements in the absence of evidence.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Spec8472 on March 22, 2017, 03:46:28 PM
Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: A. User on March 22, 2017, 03:48:21 PM
Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled.
Okay, this is good to know. :) Do you have any plans about ELAM?
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Spec8472 on March 22, 2017, 04:02:57 PM
No, we've found it unworthy
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: A. User on March 22, 2017, 04:03:58 PM
No, we've found it unworthy
Okay, you know better. Have a nice day!
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: SchaOn2 on March 22, 2017, 06:38:08 PM
Liubomir,  I'am not going to tell you about implementation, but you can check it with Process Explorer (View->Select Columns->Process Image->Protection checkbox). You should see PsProtectedSignerAntimalware-Light for Avast service processes (AvastSvc.exe/afwServ.exe/aswidsagent.exe) in Protection column. On supported OSes only of course (Windows 8.1 or later). Also, self-defense must be enabled. One more thing: the procexp.exe must be executed elevated (Run as administrator).

It seems that the Avast Business Security 17.2.2517 build 17.2.3419.64 is still UNProtected at the moment... or is there something special that we have to do to get this turned on?

FYI --- running Windows 10 (fully up-to-date).
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: gapo57@aol.com on March 24, 2017, 04:11:09 PM
Quote
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: mjbrady@acm.org on March 24, 2017, 08:10:29 PM
Quote
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.

https://www.scmagazine.com/microsoft-tool-exploit-doubleagent-can-turn-antivirus-software-into-your-worst-enemy/article/646173/
Should be aware, though, that in Windows 10 those logging in with their MS Account (the default) run as administrator at all times. While not difficult to set up, MS kind of hides the ability to use local accounts, and if somebody with a local standard (non-admin) account ever starts using their MS Account (which automatically changes the user account to administrator) its quite fiddly and time-consuming to reverse the process. So simply brushing off an issue because "if they're admin they can do anything" is perhaps not realistic?
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: bob3160 on March 24, 2017, 08:29:05 PM
@ mjbrady,
I believe the Admin reference was primarily directed toward those still using an older version of Avast.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Patrick2 on March 24, 2017, 10:25:09 PM
@mjbrady

I personally use Microsoft account all the time since Windows 8.0, 8.1, and Windows 10 Pro, always set my secondary local account as Admin, and personally change my Microsoft Account login to Standard user, so no it doesn't run as Admin all the time,  To Change account type, Open Control Panel, user accounts, Change account type, switch Local account to Admin, then Switch Microsoft Account login to Standard done


Avast works fine, all programs do as well

Sometimes get Popup from UAC for Admin account password, but otherwise don't mind that at all

Just thought i'd point that out regarding that

Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: top_stuff on March 25, 2017, 08:15:44 PM
Will 12.3.2280 be patched? I find it to be the most stable version to use.
Title: Re: AV products vulnerable to attack through Microsoft Aplication Verifier.
Post by: Asyn on March 25, 2017, 08:21:43 PM
Will 12.3.2280 be patched? I find it to be the most stable version to use.
I doubt that outdated versions get patched.