Exploitation of the vulnerabilities in Avira antivirus allows bypassing protection on the target system, ensure persistence and increase privileges.
SafeBreach researchers have discovered a dangerous vulnerability in the Avira 2019 antivirus program (CVE-2019-17449), the exploitation of which allows bypassing protection on the target system, ensuring persistence and increasing privileges by downloading an arbitrary unsigned DLL.
“The vulnerability give attackers the ability to load and execute malicious payloads within the context of Avira signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass”, — write SafeBreach experts.
SafeBreach experts tested the Avira ServiceHost service (Avira Launcher service). Avira ServiceHost is a signed process that starts with NT AUTHORITY / SYSTEM privileges and is the first to install after start of the installation. According to experts, when starting Avira.ServiceHost.exe is trying to download the missing Windtrust.dll library from its directory. The vulnerability affects versions of Avira Launcher below 1.2.137 and versions of Avira Software Updater below 220.127.116.1194.
As a rule, anti-virus solutions limit any modifications (for example, adding, writing or changing files) in folders using a mini-filter that applies a read-only policy to any user, including Administrator. As part of the experiment, the researchers compiled an arbitrary DLL library that writes the name of the process, which is loaded it into a text file, the name of the user who executed it, and the name of the DLL library.
“We managed to load an arbitrary DLL and execute the code inside Avira.ServiceHost.exe, which was signed by Avira Operations GmbH & Co. KG “and is executed as NT AUTHORITY / SYSTEM”, – experts say.
Researchers managed to carry out similar actions with other Avira services (System Speedup, Software Updater and Optimizer Host).
Experts have discovered three types of attacks that are possible when exploiting this vulnerability: bypassing anti-virus software protection; Downloading and executing malicious payload in the context of an Avira signed process ensuring persistence on the system.