• Save
How Vulnerable Are Your Security Products ! : iViZ Discovers
Upcoming SlideShare
Loading in...5
×
 

How Vulnerable Are Your Security Products ! : iViZ Discovers

on

  • 1,280 views

Security Tools are supposed to prevent attacks. Can the same tool be a door for hackers? Can your

Security Tools are supposed to prevent attacks. Can the same tool be a door for hackers? Can your
shield become the attacker’s arrow?

Statistics

Views

Total Views
1,280
Views on SlideShare
1,280
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    How Vulnerable Are Your Security Products ! : iViZ Discovers How Vulnerable Are Your Security Products ! : iViZ Discovers Document Transcript

    • tech insight (In)Security in Security Products Part-1 W Security Tools are ith rising cases of security in- cidents, more people are using in a major worm outbreak. The worm known as “witty worm” leveraged the ISS firewalls and re- supposed to prevent security software like antivirus, portedly infected thousands of PCs worldwide. attacks. Can the same firewalls, anti-spyware etc. According to the latest Symantec Global In- tool be a door for They are meant to protect users from common security attacks and vulner- ternet Security Threat Report, 205 vulnerabilities in security products were discovered in the year hackers? Can your abilities. However, ironically, the rising popularity 2007. During the period of July to December shield become the of such software is luring the attackers to target 2007, a total of 92 vulnerabilities were discovered attacker’s arrow? the security software itself as a means to break into a system. Imagine this situation: you are of which 16% were high severity threats, 30% were medium and 32% were low. Interestingly, This three part running a secure system with antivirus and other majority of the vulnerabilities actually affected series discusses how necessary software running on it. You assume that the anti-virus products. security products you are safe from the latest threats. But what if the antivirus itself is vulnerable? It means that Why vulnerability research getting more itself could turn out when a hacker exploits the vulnerability in your focused on security products? to be a threat and security software, he has complete access to your It is interesting to see that the vulnerability measures to be safe. system! In early 2004, one of the vulnerabilities in the researchers and hackers are shifting their focus gradually towards the security vendors. There are product of Internet Security Systems (ISS) resulted several reasons behind such shift: 22 m a r c h 2 0 0 9 | i n f o s e c u r i t y | a fa n at i c m e d i a p u b l i c at i o n
    • tech insight Operating Systems are gradually getting 2005 there were 50 advisories regarding The testing methodology involved more secure: The Operating Systems like vulnerabilities affecting antivirus products, fuzzing various binary executable header Windows, which had been the favorite tar- but between 2005 and 2007, there’s been fields with the intension of hitting possible get among hackers and security researchers, an increase of 240% with 170 advisories. bugs (particularly integer overflow/ have improved their security significantly Moreover, according to a research paper by underflows, buffer overruns, NULL pointer compared to before. This makes it difficult Feng Xue, presented at this year’s Blackhat dereference etc.) in the AV executable to find flaws in the Operating Systems and Europe, according to the U.S national processing code. The various testing script hence the ROI of security research in this vulnerability database, 165 vulnerabilities generated huge number of packed/non- area is diminishing. within antivirus products have been packed ELF/PE binaries with corrupted or Security products are easy targets: reported during the last 4 years.” malformed executable headers, particularly Security products are yet to face the massive the Program Header and the Section Headers public and press scrutiny like what Micro- Case Study on how iViZ broke of the sample ELF binary feed as input to soft faced at one point of time. Firewalls and multiple Antivirus our scripts. Antivirus are commonly present in most We are presenting a case study of In order to process an ELF binary systems today which make it interesting vulnerability research conducted by iViZ successfully, various memory allocations for the hackers. Often it is easier to break a which provides the software-as-a-service need to be done for different sections of security system which is less audited than based “On Demand Penetration Testing” the binary. The amount of memory required to break operating systems like Windows solution for applications, networks and for storing different sections is given in the which has been facing attacks for years and compliance. While conducting vulnerability Program Header and Section headers and hence heavily audited. research to improve upon different existing hence are user control data fields which can Security vendors conducting research security techniques the iViZ security be manipulated before the binary executable on competing products: Interestingly, Global research team discovered that in certain is fed into a given Anti virus or any other Internet Security Threat Report Vol XIII by scenarios, some antivirus software behaved program that processes such binary Symantec points out that it is not uncommon in a way which is not normal. The research executables. If the program processing for security vendors to conduct research on results were first provided to the vendors such malformed executable does not verify competing products. This competition will as per the “Responsible Vulnerability inputs from user correctly and securely potentially benefit users in the long run and Disclosure”. The vendors were provided before processing, there might be various also enhance the security of the security adequate time to release the patches before vulnerabilities like buffer overflow (small products themselves. the public disclosure. allocation, big copy), integer overflows Evolution of Responsible Vulnerability The research finally resulted in the (sign/unsigned comparison or cast) etc. Disclosure: The industry promotes respon- discovery of six new vulnerabilities in the During the research conducted by iViZ, sible vulnerability disclosure by which a antivirus products of AVG, Sohpos, F-Prot, multiple such issues resulting in memory security researcher can disclose the vulner- avast!, BitDefender and ClamAV. corruption, NULL pointer dereference etc. abilities to the vendor and help them to were found. fix it before going public. This process has How was the research conducted? Test Execution: Fuzzing helped in the evolution of an ethical and Test Preparation Fuzzing is a software testing technique responsible way to conduct vulnerability The Antivirus Security Testing was used to find out when a program crashes research and thus encouraged more number conducted over a Linux based Operating by providing random or heuristic based of independent researchers and security System. The test subjects were all Antivirus inputs to it. The fuzzing methodology used companies to contribute in vulnerability Software compiled natively to run over a by iViZ research team was based on collec- discovery. Linux 2.6 kernel. tion of good amount of both packed and Almost all the popular and modern non-packed sample executables and shared Vulnerabilities in Antivirus Products Antivirus Software unpacks the packed library files which were fed into “Format Antivirus products have always been executables first before attempting to match Aware” tools and scripts for alteration of a favorite target of hackers and security possible malicious signature against the critical information from the Header of the researchers. There are several sources given binary executable. There are many input sample executable. where one can find the details of such public packers available like UPX, FSG, Broadly, the fuzzing tool set consisted vulnerabilities. Some of them include Armadillo, ASProtect etc. for which both of the following: OSVDB, ICAT, Secunia etc. Dancho Danchev, the packing and unpacking algorithms • File Format Identifier an independent security consultant and are known but implementation of such • File Format Parser Library cyber threats analyst, points out in his unpacker is non-trivial and error prone if it • Fuzzing Libraries ZDNet post that “between 2002 and is not handled correctly and securely. o Bit Alteration a fa n at i c m e d i a p u b l i c at i o n | i n f o s e c u r i t y | m a r c h 2 0 0 9 23
    • tech insight o Byte Alteration analysis can be summarized as follows: Multiple vulnerabilities were found o Byte Replacement with [0x00, 0x01, • Crash location using a debugger and in antivirus products that employs the 0x80, 0xff, 0xfe] etc. backtrace recording. mentioned techniques. Some of the classes • Test Execution Tool • Symbol Table reconstruction of the of vulnerabilities found are: binary using iViZ’s internally developed • Integer Overflows The Fuzz Testing methodology can be tools in case the tested AV is closed • NULL Pointer Dereference summarized as follows: source commercial one. • Heap Memory Corruption • Collection of large sample executables • Reverse Engineering and Analysis of the • Double Free in both PE and ELF format AV executable functions obtained from • Packing of each executable using the crash backtrace. Results multiple packers like ASProtect, UPX, • Proof of Concept code development The test resulted in the discovery of Armadillo etc. which are available for demonstrating the possible security six vulnerabilities in AVG, Sophos, F-prot, publicly. impact of the bug or vulnerability. BitDefender, avast! and ClamAV. • Feeding each of the packed as well as non-packed executable to File Fuzzing tools which can identify the File For- Vendor: AVG mat and Packer for generating fuzzed Version: 7.5.51 (current), possibly others executables from the input samples. Vulnerability Description: Multiple vulnerabilities were discovered in AVG Antivirus when • Execution of each AV under testing analyzing specially crafted UPX packed files. Initial analysis shows that some of the vulnerabilities with appropriate parameters to scan can theoretically be exploited to execute arbitrary code on the affected system with the privilege the generated fuzzed binaries under of the user running the vulnerable antivirus process or at least cause a Denial of Service closed monitoring tools for detection of Condition. possible runtime exceptions. These vulnerabilities should be considered critical particularly in setup where the affected Antivirus Product is used for scanning incoming e-mails on a Mail Server. Analysis: Bug Hunting Impact: An attacker can remotely break into a victim’s system by sending him a mail with The process of analyzing possible a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, crashes during the Fuzz Testing involves keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause reproducing similar faults in the given a Denial of Service condition using this vulnerability. application with the given input while Vendor: F-Prot being traced by a debugger. In most of the cases the debugger can report the type of Version: F-Prot version 4.6.8 for GNU/Linux the fault, i.e. whether it’s a NULL pointer Vulnerability Description: It is possible to protect an ELF binary against F-Prot by corrupting dereference or whether it’s an access its ELF header, while letting the binary completely functional. F-prot will crash when analyzing the violation by the program by trying to access file, letting the possible malware undetected. This might result in complete bypass of Antivirus unmapped memory etc. But in order to Protection. find out the actual cause of the problem Impact: Any malicious content/attachments will pass completely undetected. Believing corresponding to the crafted input and the attachments are clean and safe, the victim is most likely to execute it leading to complete hence truly ascertain the security impact of system compromise. the bug, considerable amount of effort in Vendor: Sophos terms of debugging and reverse engineering is required. Version: Sophos SAVScan 4.33.0 for Linux, possibly others Vulnerability Description: Multiple Vulnerabilities have been discovered in Sophos Antivirus The process of reverse engineering and Product in parsing of specially crafted packed files from multiple packers including Armadillo, debugging is particularly harder in case of ASProtect, ASProtectSKE etc. Initial analysis shows that some of the vulnerabilities can closed source commercial AV applications theoretically be exploited to execute arbitrary code on the affected system with the privilege of the because of the unavailability of source code user running the vulnerable antivirus process or at least cause a Denial of Service Condition. or even the debugging symbols. However These vulnerabilities should be considered critical particularly in setup where the affected to address this problem iViZ internally Antivirus Product is used for scanning incoming e-mails on a Mail Server. developed a tool which can identify calls Impact: An attacker can remotely break into a victim’s system by sending him a mail with to libc functions even from a stripped a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, executable and re-create the symbol table keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause in the executable. a Denial of Service condition using this vulnerability. The methodology followed for bug 24 m a r c h 2 0 0 9 | i n f o s e c u r i t y | a fa n at i c m e d i a p u b l i c at i o n
    • tech insight antivirus, this may result either in antivirus Vendor: ClamAV software crash or execution of arbitrary Version: ClamAV 0.93.3 and prior code. Vulnerability Description: ClamAV uses external unpackers for unpacking files packed with Step 3: Attacker crashes the Antivirus a variety of compression and encoding algorithms. There is vulnerability in specially crafted and/or breaks into the system—Depending LZH packed files in the unpacker used by ClamAV. This vulnerability can be exploited to execute on the nature of the vulnerability, the arbitrary code on the vulnerable system or at least cause a Denial of Service condition by forcing antivirus may either get crashed or due ClamAV to scan a malicious LZH packed file. to arbitrary code execution vulnerability The vendor has removed support for external packers in the product from ClamAV 0.94 the hacker may get access to the remote onwards. system. The privilege level would be Impact: An attacker can remotely break into a victim’s system by sending him a mail with same as the privilege in which the antivirus a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, is running on. In case the antivirus keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause is crashed, the hacker may now send a Denial of Service condition using this vulnerability. another email with a malicious attachment to easily circumvent the crashed antivirus Vendor: BitDefender and infect the system with its malicious Version: v7 for Linux, possibly others payload. Vulnerability Description: Multiple integer overflows were discovered in the GNU/Linux version of BitDefender when analyzing specially crasted Portable Executable binaries packed How to stay safe? with Neolite and ASProtect packers. Initial analysis shows that some of the vulnerabilities can For the security product vendors, it theoretically be exploited to execute arbitrary code on the affected system with the privilege of the is very critical to adopt secure design user running the vulnerable antivirus process or at least cause a Denial of Service Condition. and coding principles, conduct regular These vulnerabilities should be considered critical particularly in setup where the affected penetration testing, conduct code review Antivirus Product is used for scanning incoming e-mails on a Mail Server. and also educate the customers regarding Impact: An attacker can remotely break into a victim’s system by sending him a mail with patching the security tools. It is critical a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, to create security assurance programs keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause and customer education program. They a Denial of Service condition using this vulnerability. need to make their customers understand that security products is yet another Vendor: avast! software/hardware and no software/ hardware can be free of bugs/vulnerabilities Version: avast! for Workstations v1.0.8 and it is important for them to know how Vulnerability Description: Multiple buffer overflow vulnerabilities were discovered in the to deal with it. GNU/Linux version of avast! when analyzing specially crafted ISO and RPM files. Initial analysis For enterprises and common users it is shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on very critical to understand that security tools the affected system with the privilege of the user running the vulnerable antivirus process or at can also have vulnerabilities and hence it least cause a Denial of Service Condition. is critical to use it judiciously. We need to These vulnerabilities should be considered critical particularly in setup where the affected patch the security tools too, create layered Antivirus Product is used for scanning incoming e-mails on a Mail Server. defense, use multiple tools and create Impact: An attacker can remotely break into a victim’s system by sending him a mail with adequate failover mechanisms. a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, The next part of this series will discuss keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause further on vulnerabilities in security prod- a Denial of Service condition using this vulnerability. ucts and details of the measures that users and product vendors should take to stay How hackers can break into your a specific file which can crash the remote secure.  system through antivirus? antivirus and sends it as an attachment to Let us assume that a user is running the user. —By: Bikash Barai. He is the CEO & co-founder an antivirus in your system. The antivirus Step 2: Antivirus scans the malicious of iViZ (www.ivizsecurity.com) — an On-Demand checks for malicious code in the files proc- mail attachment—Once the malicious Penetration Testing company which provides essed in the system. email is received, the vulnerable antivirus security testing for applications, networks and Step 1: Hacker sends a mail with software tries to scan the malicious compliance. Additional credits to Abhisek Datta malicious attachment—The attacker creates executable. In case of a vulnerable and iViZ Vulnerability Research Team. a fa n at i c m e d i a p u b l i c at i o n | i n f o s e c u r i t y | m a r c h 2 0 0 9 25