Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered.
Tracked as CVE-2019-17093 and impacting all versions of Avast Antivirus and AVG Antivirus — AVG is a subsidiary of Avast and the applications share the core code — the first security flaw could be abused to achieve what SafeBreach describes as self-defense bypass, defense evasion, persistence and privilege escalation.
Exploitation of the bug requires administrative privileges, but could lead to loading a malicious DLL into multiple processes that run as NT AUTHORITYSYSTEM.
The researchers discovered that AVGSvc.exe, an AM-PPL (Anti-Malware Protected Process Light), tries to load a DLL at start, but it searches for the file in the wrong folder.
Due to protection mechanisms inside antivirus applications, writing a DLL to one of the application’s folders if forbidden even to administrators. However, this self-defense mechanism can be bypassed by writing a DLL file to an unprotected folder from which the application loads components.
“Loading unsigned code into an AM-PPL is generally not allowed, because of the code integrity mechanism. Any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate,” SafeBreach Labs explains.
To exploit the vulnerability, the security researchers compiled an unsigned proxy DLL out of the original. Next, they placed the DLL in C:Program FilesSystem32, where the antivirus software looks for a DLL with the same name, which resulted in the file being loaded with SYSTEM privileges.
“The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of AVG / Avast signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass,” the security researchers explain.
The issue was found to impact all editions of Avast Antivirus and AVG Antivirus below version 19.8. A patch was released on September 26.
The researchers found a similar issue in Avira Antivirus 2019 and explain that it too could lead to “defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into multiple signed processes that run as NT AUTHORITYSYSTEM.”
This time, the researchers targeted the Avira ServiceHost service, which is the Avira Launcher service, and which is installed first. When started, the process attempts to load a missing library from its own directory.
By placing their own DLL at that location, the researchers were able to execute code within Avira.ServiceHost.exe. The same is possible for the Avira System Speedup, Avira Software Updater, and Avira Optimizer Host processes.
The researchers reported the vulnerability to Avira on July 22, and the vendor informed them on September 18 that the issue was addressed. MITRE issued CVE-2019-17449 for the vulnerability on October 10.
However, Avira believes the vulnerability would not actually be useful to attackers and it has decided to dispute the CVE.
“The scenario shows that a default OS and product installation would require Administrator privileges to place the malicious DLL File. If one already has admin rights he would gain no new privileges or could simply modify Avira binary or Windows’s to skip all signature checks. So there is no actual privilege escalation,” Avira told SecurityWeek in an emailed comment.
“Avira believes the issue can’t be classified as CVE – therefore, this CVE has already been disputed at MITRE,” the security firm added.
Over the past months, SafeBreach has reported finding similar flaws in software from various vendors, including HP, Dell, Forcepoint, Trend Micro, Bitdefender and Check Point.
*updated with comments and clarifications from Avira