Author Topic: Stop Avast running as root  (Read 989 times)

0 Members and 1 Guest are viewing this topic.

Offline Bob Jones

  • Newbie
  • *
  • Posts: 10
Stop Avast running as root
« on: May 02, 2021, 04:25:05 AM »
Simply put, Avast runs its processes as the root user.

As the Avast application (and its binaries) are located under the writable /Applications/, that makes it vulnerable to privilege escalation.

Is there any way to force Avast to run under the user instead of as root?

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 47056
  • 62 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Stop Avast running as root
« Reply #1 on: May 02, 2021, 07:15:09 PM »
Simply put, Avast runs its processes as the root user.

As the Avast application (and its binaries) are located under the writable /Applications/, that makes it vulnerable to privilege escalation.

Is there any way to force Avast to run under the user instead of as root?
The short answer is NO.
I've reported this to Avast. Maybe they can give you a detailed answer.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, Avast One 21.11, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://b

Offline jakub.bednar

  • Avast team
  • Jr. Member
  • *
  • Posts: 51
Re: Stop Avast running as root
« Reply #2 on: May 03, 2021, 08:41:06 AM »
Hello,

I do not understand why you think Avast should be vulnerable to privilege escalation. Maybe you can elaborate a bit more?

In the meantime I will try to describe to you our security measures.

  • Our application is placed in /Applications, but it is owned by root:wheel so you have to be administrator/root to copy/remove any files from the application directory. It is signed and notarized.
  • Our services/demons do run as root. They are launched by launchd. They open a UNIX socket owned by root so no non-root process can connect to them or control our services.
  • There is a single socket opened to everyone. It is a UNIX socket of our gateway process. There are clear settings what commands can be sent to it only by root and what commands can be sent by anybody. The gateway rejects any unauthorized requests.
  • UI runs under normal user and when it wants to perform a privileged operation, it has to contact our privileged XPC service. When any connection arrives to this XPC, it first does a self-signature check of the entire bundle inside /Applications including a hardened runtime check. If it passes, it accepts the connection and does the same check for the other side of the connection, making sure that the process connecting is our UI process and is properly signed.

We had a 3rd party penetration testing done by VerSprite and they did not find any attack vector to penetrate our Software. Still if you are aware and can successfully perform an attack that could breach our Software, Avast has a bounty program to reward anyone who helps us find such vulnerabilities. Feel free to apply your findings. It has to be a working set of steps that we can reproduce to verify that the problem exists and you can e.g. use Avast to perform arbitrary commands as root.

I hope this dispels your concerns.

Best regards,

Jakub