Advisory : [TZO-2009-2]-Avira Antivir - Priviledge escalation
| 0 comments ]

Reference : [TZO-2009-2]-Avira Antivir
Product :

  • Avira Antivr
  • Avira AntiVir Premium
  • Avira Premium Security Suite
  • Avira AntiVir Professional
    Vendor : http://www.avira.de


    I. Background
    Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected.

    The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of
    the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.

    AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008




    II. Description
    No funky IOCTL just a plain unsafe call to CreateProcess().In detail, the scheduler (sched. exe) running with SYSTEM privileges calls the CreateProcess() API without enclosing lpCommandLine in quotes to regularly shell avwsc.exe

    Calling an executable with a path has spaces in it and not using quotes will trigger windows to search for the executable in various areas.

    Calling for instance -

    CreateProcess(
    NULL,
    c:\program files\avira\antivir PersonalEdition Classic\avwsc.exe,
    ...
    );


    will first look for
  • c:\program.exe
    and then
  • c:\program files\avira\antivir.exe

    This is documented and intended behaviour as can be seen at :
    http://msdn.microsoft.com/en-us/library/ms682425.aspx

    Quoting ms682425.aspx :
    The lpApplicationName parameter can be NULL. In that case, the module name must be the first white space–delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to
    indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:


    c:\program.exe files\sub dir\program name, c:\program files\sub.exe dir\program name
    c:\program files\sub dir\program.exe name, c:\program files\sub dir\program name.exe

    Pre-conditions for a CreateProcess() call to be insecure :
    - lpApplicationName contains a NULL
    - the path in lpCommandLine contains white space
    - the path in lpCommandLine is not enclosed in quotation marks

    III. Impact
    - Elevation of privileges to SYSTEM is possible by writing the payload to c:\program files\avira\antivir.exe
    - Autostart vector - The payload will be executed even after a reboot

    IV. Disclosure Timeline
  • 28/09/2008 : Contacted and send bug report to Avira
  • 28/09/2008 : Avira acknowledges receipt
  • 01/10/2008 : Avira notifies me that the issue will be fixed
    with there next Emergency Update (EU2)
  • 24/10/2008 : Avira releases update
  • 15/01/2009 : Release of this advisory


    References :
  • [1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
  • [2] CreateProcess() - http://msdn.microsoft.com/en-us/library/ms682425.aspx
  • [3] Book: Fuzzing - Brute force vulnerability discovery
  • [4] Loadlibrary() - http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx
    If the string does not specify a path, the function uses a
    standard search strategy to find the file.



    • 0 comments

    Post a Comment