Author Topic: Priviledge Escalation vulnerability caused by Avast 4.x  (Read 24273 times)

0 Members and 1 Guest are viewing this topic.

toadlife

  • Guest
Priviledge Escalation vulnerability caused by Avast 4.x
« on: March 12, 2006, 07:05:56 AM »
HI everyone,

I use Avast Home and noticed that upon installing Avast creates insecure permissions in the program directory that can allow any user to gain administrative access on the machine. Avast gives "BUILTIN\Everyone" full control of just about every file under the program directory. This includes the executables that are executed by the system as services. To gain admin access, a regular use need only replace the one of the Avast executables that run as a system service with a trojan, and reboot the machine.

I emailed to Avast support but got no reply.

You can fix this problem by resetting the permissions of the files under the avast program directory to the defaults, which only give regular users read-only rights.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #1 on: March 12, 2006, 10:11:40 AM »
First of all, welcome and thanks for posting.
Maybe I'm wrong but this:

To gain admin access, a regular use need only replace the one of the Avast executables that run as a system service with a trojan, and reboot the machine.

cannot be done by a regular user, only an user with administrator rights could change that and, this one, could done almost everything as he has rights for...

Am I missing something?  ::)
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #2 on: March 12, 2006, 12:17:21 PM »
Yes, I can confirm the problem - it's an unfortune mistake regarding the file extraction (btw, if your TEMP folder is on a different drive than your avast! installation folder, you won't be affected).
The problem will be corrected in the next avast! update.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #3 on: March 12, 2006, 12:52:56 PM »
But as far as i can tell avast! checks integrity of critical program files (i know coz i wanted to replace some icon and it warned me right away).
Haven't tested how it works after fresh boot...
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #4 on: March 12, 2006, 01:52:14 PM »
Yes, I can confirm the problem - it's an unfortune mistake regarding the file extraction (btw, if your TEMP folder is on a different drive than your avast! installation folder, you won't be affected).
Why do other applications avoid changing the 'service' settings (at least, disabling or changing the executable)?

The problem will be corrected in the next avast! update.
It would be great that you do not wait that longer to make it...
The best things in life are free.

mauserme

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #5 on: March 12, 2006, 09:34:44 PM »
The problem will be corrected in the next avast! update.
It would be great that you do not wait that longer to make it...
Especially now that its been publicized.

CharleyO

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #6 on: March 13, 2006, 12:03:11 AM »
***

Welcome to the forums, toadlife.    :)

Thank you for posting this info. Hopefully, the Avast team will make a quick program update to fix this.   

Please come back often, learn more, and maybe help others.    :)


***

toadlife

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #7 on: March 13, 2006, 02:32:26 AM »
The problem will be corrected in the next avast! update.
It would be great that you do not wait that longer to make it...
Especially now that its been publicized.

I wouldn't panic.

If you are a home user, and run as a regular user (I do), a peice of malware would have to specifically target Avast. As it is 98% of Windows users run as admin anyway, and malware assumes these permissions when it runs. The chances of this issue being exploited are very small IMO.

One place where I would be a little concerned is in business or educational settings (If this issue affects the pro version), where computers are locked down.  For example, at a school that uses Avast on it's lab computers an enterprising student could gain admin rights to a lab machine, or even a server depending on how things are set up.

To fix this issue:

If you are running Windows XP Pro:

1) Make sure simple file sharing is turned off.

To turn simple file sharing off, open up an Explorer window (My Computer will do), click on "folder options", click on the "view" tab and uncheck the box that says "Use Simple File Sharing". This will allow you to view file permissions for files and folder

2) Browse to your avast program directory (e.g. c:\program files\Alwil Software)
3) Right-click on the folder, select "properties" from the menu and then click on the "Security" tab
4) Click on the "Advanced" button
5) Click on the checkbox that says "Replace permission entries on all child objects with entries shown here that apply to child objects"
6) Click "Apply" and then "Yes" to the prompt

You may want to turn simple file sharing back on after you are done.

If you are running Windows XP Home:

1) Restart your computer and start Windows in "Safe Mode", by pressing F8 before Windows loads.
2) Log in as "Administrator" (You must log in as the built in administrator account to view file permissions in XP Home)
3) Browse to your avast program directory (e.g. c:\program files\Alwil Software)
4) Right-click on the folder, select "properties" from the menu and then click on the "Security" tab
5) Click on the "Advanced" button
6) Click on the checkbox that says "Replace permission entries on all child objects with entries shown here that apply to child objects"
7) Click "Apply" and then "Yes" to the prompt


For XP Home users, instead of starting in safe mode, you can also install the program "ACLView". It allows you to modify file/folder permissions without having to start up in safe mode. I can't tell you how to reset the permission with ACLView though, because I've havn't actually used it.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #8 on: March 13, 2006, 02:46:06 AM »
I wouldn't panic. To fix this issue
Worked like a charm. But, will the non-administrator users be able to update the virus database this way?
The best things in life are free.

toadlife

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #9 on: March 13, 2006, 03:40:35 AM »
I wouldn't panic. To fix this issue
Worked like a charm. But, will the non-administrator users be able to update the virus database this way?

Yes. AFAIK, everything should still work properly.

mauserme

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #10 on: March 14, 2006, 01:09:46 AM »
Thanks toadfile.

crofty59

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #11 on: March 21, 2006, 04:29:50 AM »
Hi everyone.

This vunerability has now been reported at Secunia

http://secunia.com/advisories/19284/

Cheers

justin1278

  • Guest
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #12 on: March 21, 2006, 07:32:54 PM »
Good find toadlife,

Thank you for reporting this problem to Alwil now they can fix it and make avast! even better and more secure. If Symantec had this problem I would bet that they would not listen, or they would update it in the next major release (about once a year) and charge you money to upgrade it. That is IMHO.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Priviledge Escalation vulnerability caused by Avast 4.x
« Reply #13 on: March 21, 2006, 08:22:11 PM »
Yes, a very good find toadlife.

Also one of the links from that Secunia page show avast isn't alone in this Privilege Escalation issue, thankfully Igor notes it will be corrected in the next avast update; toadlife give us a work around for those that feel it warrants it, thanks for your efforts.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security