what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Avast! Denial Of Service / Privilege Escalation

Avast! Denial Of Service / Privilege Escalation
Posted Oct 23, 2009
Authored by ShineShadow

Avast! Professional and Home Editions suffer from local privilege escalation and denial of service vulnerabilities.

tags | advisory, denial of service, local, vulnerability
advisories | CVE-2009-3524
SHA-256 | 145e8181194fe1f5d54f9f1c10b449dbfebded667d0c2c0ee5c02c0b5ceed552

Avast! Denial Of Service / Privilege Escalation

Change Mirror Download
ShineShadow Security Report 22102009-12

TITLE

Avast! Multiple Vulnerabilities

BACKGROUND

Avast! antivirus software represents complete virus protection, offering full desktop security including a resident shield. Daily automatic updates ensure continuous data protection against all types of malware and spyware. Avast! antivirus is certified by both ICSA Labs and West Coast Labs Checkmark.
Avast! Professional Edition 4.8 is a collection of award winning, high-end technologies that work in perfect synergy, having one common goal: to protect your system and valuable data against computer viruses, spyware and rootkits. It represents a best-in-class antivirus solution for any Windows-based workstation.

Source: http://www.avast.com

VULNERABLE PRODUCTS

Vulnerability #1 (CVE-2009-3524)

Avast! Professional Edition <= 4.8.1351
Avast! Home Edition <= 4.8.1351

Vulnerability #2

Avast! Professional Edition <= 4.8.1356
Avast! Home Edition <= 4.8.1356

DETAILS

Avast! installs some program files with insecure permissions. "Everyone" group has "Full Control" rights to the files/folders in the following path: "%Program Files%\Alwil Software\Avast4\Data". Its mean that any unprivileged user can modify, delete or change permissions of any file in DATA folder. The folder consists of data, executable and configuration files. In result multiple attack vectors are possible.

Vulnerability #1 Local privilege escalation (CVE-2009-3524)

A local attacker (unprivileged user) can modify %Program Files%\Alwil Software\Avast4\Data\avast4.ini file. "ISAPIFilter1" parameter in avast4.ini contains filename or full path to ISAPI filter module – originally "ashWsFtr.dll". An attacker can replace the original path by path to the attackers malicious dynamic library (DLL). After restart attackers DLL will be loaded with SYSTEM privileges. This is local privilege escalation vulnerability.

Vulnerability #2 Denial of Service

A local attacker (unprivileged user) could cause denial of service conditions in Avast! by deleting %Program Files%\Alwil Software\Avast4\Data\400.vps file. After system restart all Avast! modules failed to load.

EXPLOITATION

An attacker must have valid logon credentials to a system where vulnerable software is installed.

WORKAROUND

Vulnerability #1 (CVE-2009-3524)

Alwil Software has addressed this vulnerability by releasing fixed versions of the vulnerable products:
Avast! Professional Edition 4.8.1356
Avast! Home Edition 4.8.1356
More detail: http://www.avast.com/eng/avast-4-home_pro-revision-history.html
Insecure permissions on DATA folder have not been fixed, vendor solved the vulnerability by securing "ISAPIFilter1" parameter.

Vulnerability #2
No workarounds.

Regarding insecure permissions on DATA folder vendor response the following:
"The issue is addressed in the upcoming avast v5.0 (due this November) but there are no plans to do anything about it in the current version (4.x branch)."

DISCLOSURE TIMELINE

25/08/2009 Initial vendor notification. Secure contacts requested.
26/08/2009 Vendor response
27/08/2009 Vulnerability details sent (Vulnerability #1). Confirmation requested. No reply.
01/09/2009 Vulnerability details sent (Vulnerability #1). Confirmation requested.
03/09/2009 Vendor accepted issue for investigation
23/09/2009 Update status query sent to vendor. No reply.
25/09/2009 Vendor released Avast! 4.8.1356. Multiple vulnerabilities have been fixed in this version including Vulnerability #1.
01/10/2009 CVE-2009-3524 has been assigned to Vulnerability #1.
02/10/2009 Vendor has been notified that the Avast! 4.8.1356 fix described privilege escalation scenario only and does not fix the nature of vulnerability – insecure permissions. As the proof the new attack scenario has been discovered (Vulnerability #2) and vendor has been notified. No reply.
06/10/2009 Resend notification
06/10/2009 Vendor response regarding insecure permissions: "The issue is addressed in the upcoming avast v5.0 (due this November) but there are no plans to do anything about it in the current version (4.x branch)."
22/10/2009 Advisory released

CREDITS

Maxim A. Kulakov (ShineShadow)
ss_contacts[at]hotmail.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close