SEC Consult Vulnerability Lab Security Advisory < 20140508-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: AVG Remote Administration
vulnerable version: all - except issue #2
fixed version: none - except issue #2
impact: critical
homepage: http://www.avg.com
found: 2013-12-07
by: Stefan Viehbck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"AVG Remote Administration" allows the network administrator to remotely
install, update, and configure AVG across the computer network."
Source:
http://www.avg.com/eu-en/product-avg-admin
http://www.avg.com/us-en/faq.num-5307
Technology description:
--------------------
AVG Remote Administration consists of several components:
- AVG Admin Server (central server, listens on TCP port 4158)
- AVG Admin Console (fat client for administration)
- AVG AntiVirus, Internet Security etc. (managed endpoints)
The Admin Console and the AVG products on endpoints connect to TCP port 4158 on
the Admin Server using the same protocol.
Business recommendation:
------------------------
Attackers are able to completely compromise the AVG Admin Server
system as they can gain full access at the application and system level.
Attackers can manage endpoints and possibly deploy attacker-controlled code on
endpoints.
Furthermore endpoints can be tricked into communicating with rogue AVG
Administration Servers.
All vulnerabilities are based on severe design flaws in the application as well
as the proprietary protocol. It is highly recommended by SEC Consult not to
use this software until a thorough security review has been performed by
security professionals and all identified issues have been resolved.
It is assumed that even more critical vulnerabilities exist.
Vulnerability overview/description:
-----------------------------------
1) Authentication bypass / Missing authentication
The authentication checks for access via the AVG Admin Console (=fat client)
are done on the client side. The AVG Admin Server sends a list of valid
usernames/password hashes to AVG Admin Console. As the Admin Console is
controlled by the client, authentication can easily be bypassed.
Attackers can connect to the AVG Admin Server and manage clients just like a
legitimate administrator with full privileges using a modified version (checks
removed using binary patch) of AVG Admin Console.
2) Remote code execution
Attackers are able to set arbitrary configuration settings for the AVG
Administration Server. Due to insufficient input validation an attacker can
set the value of a parameter to a UNC path. This path is passed to the Windows
API LoadLibrary() function. This enables an attacker to provide arbitrary .dlls
via network shares which are then executed.
This provides an attacker full access on the operating system as the AVG Admin
Server runs as SYSTEM.
As the protocol is tunneled via HTTP, this attack is possible via CSRF as well.
3) Missing entity authentication
The used protocol does not provide any functionality to verify the identity
of communication partners. This allows attackers to pose as an AVG endpoint,
or act as a rogue AVG Admin Server for an endpoint. Attackers can manage
clients just like a legitimate administrator.
4) Use of static encryption keys and insecure modes of operation
The protocol level encryption is based on the (symmetric) block cipher
Blowfish. Hardcoded encryption keys are used by the client as well as the
server for message encryption.
This allows an attacker to decrypt and modify the messages.
The Blowfish cipher is used in the electronic codebook (ECB) which enables
some other attacks. However these attacks are not really relevant at this
point as the encryption keys are known anyway.
Proof of concept:
-----------------
1) Authentication bypass
This vulnerability was verified using a binary patch for AVG Admin Console.
Only 3 bytes were changed in the Admin Console binary.
Note: This vulnerability might allow direct attacks against clients hence a
proof of concept exploit has been removed.
A video demonstrating this issue has been released by SEC Consult:
https://www.youtube.com/watch?v=exiLSy1oo3I
2) Remote code execution
The parameter ClientLibraryName can be set via the StoreServerConfig command
(command id 0x27). The provided value can be a path to a network share
containing a malicious .dll file. This .dll file will be executed in the
context of the AVG Admin Server service which runs as SYSTEM.
3) Missing entity authentication
Attackers can pose as a legitimate AVG Administration Server by responding
to NBNS queries for the AVG Admin Server hostname or using various
other techniques (eg. MITM attacks).
Note: This vulnerability might allow direct attacks against clients hence a
proof of concept exploit has been removed.
A video demonstrating this issue has been released by SEC Consult:
https://www.youtube.com/watch?v=XYvtwc10dLc
4) Use of static encryption keys and insecure modes of operation
The protocol messages can be encrypted and decrypted using the following python
code:
from Crypto.Cipher import Blowfish
key='\xA1\x45\xF0\x09\xEA\x7E\x4B\x98\x46\x7A\xEA\xD0\xF4\x6C\xAB\x87\x00\x00\x00\x00\x00\x00\x00\x00'
cipher = Blowfish.new(key)
def swapendian(s):
res=[]
dwords = [s[i:i+4] for i in range(0, len(s), 4)]
res = [dword[::-1] for dword in dwords]
return ''.join(res)
def avg_encrypt(plaintext):
if len(plaintext)%8!=0:
plaintext+='\x00'*(8-len(plaintext)%8)
return swapendian(cipher.encrypt(swapendian(plaintext)))
def avg_decrypt(ciphertext):
if len(ciphertext)%8!=0:
return 'DECRYPTION ERROR'
return swapendian(cipher.decrypt(swapendian(ciphertext)))
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in AVG Admin Server version
13.0.0.2892, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2014-01-15: Contacting AVG via online support form and requesting security
contact.
2014-01-15: Support forwards us to "Jrgen Jakob Software-Entwicklung, AVG
Authorized Distributor" (sales representative!)
2014-01-21: AVG support requests technical information.
2014-01-22: Requesting contact to discuss security issues.
2014-01-29: Requesting contact to discuss security issues (2nd try).
2014-02-10: Requesting contact to discuss security issues (3rd try).
2014-02-12: AVG support explains lack of response because they were
"experiencing a higher than usual volume of e-mail messages from
customers" and requests technical information.
2014-02-24: Requesting encryption keys (S/MIME or PGP).
2014-03-05: Requesting encryption keys (2nd try). Announcing that advisory will
be sent via plaintext if no keys are provided.
2014-03-11: (No response) Sending security advisory and responsible disclosure
policy as plaintext. Setting deadline to 2014-04-30.
2014-03-11: Opening a new ticket - referring to previous ticket, advisory and
proof of concept exploits.
2014-03-31: (No response) Contacting AVG CTO via LinkedIn, referring to
previous tickets and requesting encryption key.
2014-03-31: CTO responds, provides encryption key.
2014-03-31: Sending advisory and responsible disclosure via encrypted channel.
2014-04-04: CTO responds with AVG risk assessment:
#1 low risk "This is by design"
#2 high risk
#3 medium risk "This attack is difficult to set up"
#4 low risk "The cipher is used here just for the obfuscation of
the traffic, it was not meant to protect any private
data"
CTO further mentions that Remote Administration is "no longer
available for sale for new customers" - this was never substantiated!
Even the FAQ on the website says differently:
http://www.avg.com/us-en/faq.num-5125
2014-04-25: Shifting release deadline to 2014-05-08.
2014-04-28: CTO responds, announcing that patch for remote code execution
(issue #2) will be released on 2014-04-29.
2014-05-06: Requesting confirmation that only remote code execution will be
fixed.
2014-05-06: CTO confirms that only remote code execution is fixed.
2014-05-08: SEC Consult releases security advisory & proof of concept videos.
Solution:
---------
AVG has _only_ patched the remote code execution vulnerability (issue #2).
The patched version (2013.0.2895) is available via:
http://download.avg.com/filedir/inst/avg_rad_x86_all_2013_2895.exe
http://download.avg.com/filedir/inst/avg_rad_x64_all_2013_2895.exe
There is no solution/patch for the remaining, critical vulnerabilities!
Workaround:
-----------
The workaround is to disable AVG Remote Administration entirely. This requires
the shutdown of the AVG Admin Server and the deactivation of the Remote
Administration feature in all clients.
Of course all the central management/reporting/update functionality provided by
AVG Remote Administration is now not available any more.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Stefan Viehbck / @2014