<<< Date Index >>>     <<< Thread Index >>>

[TZO-2009-2] Avira Antivir - Priviledge escalation



___________________________________________________________________

From  the 'cover-your-basics' and from the 'they-still-exist-department'
   Antivir insecure CreateProcess() usage - Privilege Esclation
                 and autostart as free bonus
___________________________________________________________________

Reference     : [TZO-2009-2]-Avira Antivir Priviledge escalation
WWW           : 
http://blog.zoller.lu/2009/01/tzo-2009-2-avira-antivir-priviledge.html
Product       : AV7/AV8 desktop products :
                - Avira AntiVir Premium
                - Avira Premium Security Suite
                - Avira AntiVir Professional
Vendor        : http://www.avira.de


I. Background
~~~~~~~~~~~~~
Avira AntiVir is a reliable  free  antivirus  solution,   that
constantly and  rapidly  scans  your  computer  for  malicious
programs such as viruses, Trojans, backdoor programs,  hoaxes,
worms, dialers etc. Monitors  every  action  executed  by  the
user or the  operating  system  and  reacts  promptly  when  a
malicious program is detected.

The  protection  experts  have  numerous  company    locations
throughout  Germany  and  cultivate  partnerships  in  Europe,
Asia and America. Avira has more than 180 employees  at  their
main office in Tettnang near Lake  Constance  and  is  one  of
the largest employers in the region.   There  are  around  250
people employed  worldwide  whose  commitment  is  continually
being confirmed by  awards.   A  significant  contribution  to
protection is the Avira AntiVir Personal which is  being  used
by private users a million times over.

AV-Comparatives e.V. have  chosen  Avira  AntiVir  Premium  as
the best anti-virus solution of 2008 


II. Description
~~~~~~~~~~~~~~~
No funky IOCTL just a plain unsafe  call  to  CreateProcess().
In detail, the  scheduler  (sched. exe)  running  with  SYSTEM
privileges calls the  CreateProcess()  API  without  enclosing
lpCommandLine  in  quotes  to  _regularly_  shell   avwsc.exe

Calling an executable with a path has spaces  in  it  and  not
using  quotes  will  trigger  windows  to  search   for    the
executable in various areas.

Calling for instance -  

 CreateProcess(
  NULL,
  c:\program files\avira\antivir PersonalEdition Classic\avwsc.exe,
  ...
  );
   
will first look for
c:\program.exe
and then
c:\program files\avira\antivir.exe

This is documented and intended behaviour as can be seen at : 
http://msdn.microsoft.com/en-us/library/ms682425.aspx

Quoting ms682425.aspx : 
The lpApplicationName parameter can be NULL. In that case,  
the module  name  must  be  the  first  white  space–delimited
token in the lpCommandLine string. If you  are  using  a  long
file name that  contains  a  space,   use  quoted  strings  to
indicate where the file name ends  and  the  arguments  begin;
otherwise, the file name is ambiguous. For example,   consider
the string  "c:\program  files\sub  dir\program  name".   This
string can be interpreted in a number  of  ways.   The  system
tries to interpret the possibilities in the  following  order:


c:\program.exe files\sub dir\program name, c:\program files\sub.exe dir\program 
name
c:\program files\sub dir\program.exe name, c:\program files\sub dir\program 
name.exe 

Pre-conditions for a CreateProcess() call to be insecure :
- lpApplicationName contains a NULL 
- the path in lpCommandLine cotains white space 
- the path in lpCommandLine is not enclosed in quotation marks

III. Impact
~~~~~~~~~~~
- Elevation of privileges from USER to SYSTEM  is  possible  
by  writing the payload  to c:\program files\avira\antivir.exe    
- Autostart vector - The payload will be executed even  after 
a reboot

IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
28/09/2008 : Contacted and send bug report to Avira
28/09/2008 : Avira acknowledges receipt
01/10/2008 : Avira notifies me that the issue will be fixed 
             with there next Emergency Update (EU2)
24/10/2008 : The update is pushed to customers
24/10/2008 : Avira notifies me that credits have been posted 
here: http://www1.avira.com/en/support/faq/details.html?id=419             
15/01/2009 : Release of this advisory


References :
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] CreateProcess() - http://msdn.microsoft.com/en-us/library/ms682425.aspx
[3] Book: Fuzzing - Brute force vulnerability discovery
[4] Loadlibrary() -  
http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx
If the string does not specify a path, the function uses a standard search 
strategy to find the file.