Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: Bob Jones on May 02, 2021, 04:25:05 AM

Title: Stop Avast running as root
Post by: Bob Jones on May 02, 2021, 04:25:05 AM

Simply put, Avast runs its processes as the root user.

As the Avast application (and its binaries) are located under the writable /Applications/, that makes it vulnerable to privilege escalation.

Is there any way to force Avast to run under the user instead of as root?

Title: Re: Stop Avast running as root
Post by: bob3160 on May 02, 2021, 07:15:09 PM

Quote from: Bob Jones on May 02, 2021, 04:25:05 AM

Simply put, Avast runs its processes as the root user.

As the Avast application (and its binaries) are located under the writable /Applications/, that makes it vulnerable to privilege escalation.

Is there any way to force Avast to run under the user instead of as root?

The short answer is NO.
I've reported this to Avast. Maybe they can give you a detailed answer.

Title: Re: Stop Avast running as root
Post by: jakub.bednar on May 03, 2021, 08:41:06 AM

Hello,

I do not understand why you think Avast should be vulnerable to privilege escalation. Maybe you can elaborate a bit more?

In the meantime I will try to describe to you our security measures.

• Our application is placed in /Applications, but it is owned by root:wheel so you have to be administrator/root to copy/remove any files from the application directory. It is signed and notarized.
• Our services/demons do run as root. They are launched by launchd. They open a UNIX socket owned by root so no non-root process can connect to them or control our services.
• There is a single socket opened to everyone. It is a UNIX socket of our gateway process. There are clear settings what commands can be sent to it only by root and what commands can be sent by anybody. The gateway rejects any unauthorized requests.
• UI runs under normal user and when it wants to perform a privileged operation, it has to contact our privileged XPC service. When any connection arrives to this XPC, it first does a self-signature check of the entire bundle inside /Applications including a hardened runtime check. If it passes, it accepts the connection and does the same check for the other side of the connection, making sure that the process connecting is our UI process and is properly signed.

We had a 3rd party penetration testing done by VerSprite and they did not find any attack vector to penetrate our Software. Still if you are aware and can successfully perform an attack that could breach our Software, Avast has a bounty program to reward anyone who helps us find such vulnerabilities. Feel free to apply your findings. It has to be a working set of steps that we can reproduce to verify that the problem exists and you can e.g. use Avast to perform arbitrary commands as root.

I hope this dispels your concerns.

Best regards,

Jakub