Security researcher finds multiple glitches in AV engines using custom fuzzer

Jul 28, 2014 09:06 GMT  ·  By

Using a custom fuzzing testing suite and running basic local and remote checks, a security researcher found numerous remotely exploitable vulnerabilities in multiple antivirus software solutions.

He showed that security measures present in these products could be bypassed just like in any other, and that they provided multiple entry points to the system.

Joxean Koret from the Singapore-based Coseinc, a private company that offers information security services, explained how software designed to protect users from malware actually offers threat actors an increased number of attack vectors that can be leveraged to gain access to the victim’s system.

Since most antivirus products enjoy a default trust that allows them to run with top privileges, finding a bug in them and exploiting it allows an attacker the same privileges on the affected system.

At the SyScan 360 security conference in Beijing, Koret provided a simple example, saying that “most antivirus engines update via HTTP only protocols.”

Relying on the man-in-the-middle (MitM) attack, “one can install new files and/or replace existing installation files,” which “ often translates in completely owning the machine with the AV engine installed as updates are not commonly signed.”

The researcher provides a list with some vulnerabilities he found when testing his tools on reputed antivirus products. The results included heap overflows, remote vulnerabilities, integer overflows, local privilege escalation, as well as command injection possibilities.

The list of products with one or more of these glitches includes Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda, and eScan.

Koret has said that he downloaded the antivirus (AV) engines, which are the core of the antivirus product, with a Linux version he found. “The core is always the same with the only exception of some heuristic engines,” he explains. Moreover, he used some special methods to make Windows-only engines run on Linux.

It seems that although AV engines are compiled with ASLR turned on, only the core components are protected this way, and other parts, like the graphical user interface and some libraries, are not.

If certain conditions are met, such as the use of the built-in emulating tool, some of the engines create RWX (read/write/execute permissions) pages at fixed addresses and disable DEP (data execution prevention).

A possible compromise scenario would be for an attacker to send a ZIP archive that forces the emulator to be used, containing an exploit, the researcher says in the slides for the conference.

As such, taking advantage of memory leaks in the emulators or leveraging other vulnerabilities would permit access to the system’s higher functions.

The conclusions are quite grim, for both users and developers of antivirus software, but it is the latter who have to take the necessary steps to improve security of their products and maintain the customer trust by staying ahead of cybercriminals and adapting the source code to the current day and age.