Connect with us

Hi, what are you looking for?



Avast, Avira Products Vulnerable to DLL Hijacking

Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered.

Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered.

Tracked as CVE-2019-17093 and impacting all versions of Avast Antivirus and AVG Antivirus — AVG is a subsidiary of Avast and the applications share the core code — the first security flaw could be abused to achieve what SafeBreach describes as self-defense bypass, defense evasion, persistence and privilege escalation.

Exploitation of the bug requires administrative privileges, but could lead to loading a malicious DLL into multiple processes that run as NT AUTHORITYSYSTEM.

The researchers discovered that AVGSvc.exe, an AM-PPL (Anti-Malware Protected Process Light), tries to load a DLL at start, but it searches for the file in the wrong folder.

Due to protection mechanisms inside antivirus applications, writing a DLL to one of the application’s folders if forbidden even to administrators. However, this self-defense mechanism can be bypassed by writing a DLL file to an unprotected folder from which the application loads components.

“Loading unsigned code into an AM-PPL is generally not allowed, because of the code integrity mechanism. Any non-Windows DLLs that get loaded into the protected process must be signed with an appropriate certificate,” SafeBreach Labs explains.

To exploit the vulnerability, the security researchers compiled an unsigned proxy DLL out of the original. Next, they placed the DLL in C:Program FilesSystem32, where the antivirus software looks for a DLL with the same name, which resulted in the file being loaded with SYSTEM privileges.

Advertisement. Scroll to continue reading.

“The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of AVG / Avast signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass,” the security researchers explain.

The issue was found to impact all editions of Avast Antivirus and AVG Antivirus below version 19.8. A patch was released on September 26.

The researchers found a similar issue in Avira Antivirus 2019 and explain that it too could lead to “defense evasion, persistence and privilege escalation by loading an arbitrary unsigned DLL into multiple signed processes that run as NT AUTHORITYSYSTEM.”

This time, the researchers targeted the Avira ServiceHost service, which is the Avira Launcher service, and which is installed first. When started, the process attempts to load a missing library from its own directory.

By placing their own DLL at that location, the researchers were able to execute code within Avira.ServiceHost.exe. The same is possible for the Avira System Speedup, Avira Software Updater, and Avira Optimizer Host processes.

The researchers reported the vulnerability to Avira on July 22, and the vendor informed them on September 18 that the issue was addressed. MITRE issued CVE-2019-17449 for the vulnerability on October 10.

However, Avira believes the vulnerability would not actually be useful to attackers and it has decided to dispute the CVE.

“The scenario shows that a default OS and product installation would require Administrator privileges to place the malicious DLL File. If one already has admin rights he would gain no new privileges or could simply modify Avira binary or Windows’s to skip all signature checks. So there is no actual privilege escalation,” Avira told SecurityWeek in an emailed comment.

“Avira believes the issue can’t be classified as CVE – therefore, this CVE has already been disputed at MITRE,” the security firm added.

Over the past months, SafeBreach has reported finding similar flaws in software from various vendors, including HPDellForcepointTrend MicroBitdefender and Check Point.

*updated with comments and clarifications from Avira

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.