Experts discovered DLL Hijacking issues in Avast, AVG and Avira

SafeBreach Labs security experts discovered weaknesses in Avast, AVG and Avira antivirus that could be exploited by hackers to load a malicious DLL file to bypass defenses and increase privileges.

A vulnerability in all versions of Avast Antivirus and AVG Antivirus, detected as CVE-2019-17093, could exploit one hacker with administrative privileges to bypass security defenses, escalate privileges and invade, says SafeBreach Labs analysis. "In particular, we will show that it was possible to load an arbitrary unsigned DLL into multiple processes running as NT AUTHORITYSYSTEM, even using Protected Process Light (PPL). ”


The hacker could trigger the issue to load a malicious DLL that is not signed in many processes running as NT AUTHORITYSYSTEM.

Experts have found that AVGSvc.exe, a defective AM-PPL, works as a signed procedure and as NT AUTHORITYSYSTEM, and tries to load wbemcomn.dll first from the C: WindowsSystem32wbemwbw folder. dll. Experts pointed out that the library is not in the above folder, but is stored in the System32 folder.

Antivirus implements a self-defense mechanism that prevents malicious code from writing and implanting a DLL in its folders.

The self-defense mechanism is bypassed by writing a DLL file to an unprotected one envelope from which is loaded application.

"If we can implant an unsigned DLL in an unprotected folder, this can lead to a self-defense bypass," the expert continued.

“Loading code that is not signed into an AM-PPL is generally not allowed because of the code integrity mechanism. Any DLL that is not Windows loaded in the protected procedure must be signed with the appropriate certificate.

SafeBreach Labs experts combined an unsigned proxy DLL from the original wbemcomn.dll file and then placed the DLL in C: Program FilesSystem32, allowing it to load it with SYSTEM permissions.

The vulnerability affects all versions of Avast Antivirus and AVG Antivirus under the 19.8 version. AVG is a subsidiary of Avast, and the company has released updates security to address the defect on 26 September.

Experts have found a similar vulnerability in Avira Antivirus 2019 that was detected as CVE-2019-17449.

"The CVE-2019-17449 vulnerability could be used to mitigate defense, persistence and privilege escalation by loading an arbitrary unregistered DLL into multiple signed procedures that act as NT AUTHORITYSYSTEM," the report states. .

“To take advantage of this vulnerability, the attacker must have administrator rights. "

Experts targeted Avira Launcher, an Avira ServiceHost service. The researchers were able to execute code inside Avira.ServiceHost.exe by storing a specially designed DLL. The same issue affects Avira Speedup, Avira Software Updater and Avira Optimizer processes.

“There is no digital validation certificate against this particular binary. The program validates if the different DLL files they are loading are signed, but when it imports the Wintrust.dll library, it does not validate it (because it is based on the WinVerifyTrust function that is inside the DLL and has not yet been loaded). Therefore, it can load an arbitrary unsigned DLL, it continues the analysis.

“AV does not have self-protection for the Launcher folder. As I mentioned earlier, various AVs protect their own folders of this kind attack using a mini guide restricting any changes to the AV directory. “