Serious design flaws bypassing exploit mitigations found in AVG, McAfee, Kaspersky

Popular Antivirus programs such as AVG, McAfee and Kaspersky were found to be providing easy access for malware attackers to infect PC’s with exploit mitigations. This is said to be happening because of serious design issues that they carry, as explored by Tomer Bitton, the Co-Founder & VP Research at enSilo.

AVG

The flaw is said to exist, where anti-virus products allocate memory with RWX (Read-Write-Execute) permissions in a predictable address.

Injecting the malicious code with ease

Injecting a malicious code using the above process seems to be easier than you would otherwise think. Post user-mode creation process, the affected program uses the kernel to inject a small hooking code stub and simultaneously allocates a memory page with RWX (Read-Write-Execute) permissions at a constant/predictable address.

Attackers with access to a compromised third party application can then easily copy the malicious code to the program’s allocated RWX page and execute the malicious code with ease. The exploitation can be in the form of any application be it a word file, pdf or through a browser.

Many Antivirus products could be carrying this issue

As Tomer mentions, the design flaw was first discovered in AVG in March 2015, however soon when it was tested on other anti-virus products, the result disclosed other programs with the same flaw. The effected programs discovered until now, include:

  • McAfee Virus scan Enterprise version 8.8. This vulnerability appears in their Anti Malware + Add-on Modules , scan engine version (32 bit) 5700.7163 , DAT version 7827.0000 , Buffer Overflow and Access Protection DAT version 659 , Installed patches: 4 ( the vulnerability was fixed after the company released a patch on August 20, 2015 )
  • Kaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342 ( the vulnerability was fixed after the company released a patch on Sep 24, 2015 )
  • AVG Internet Security 2015 build 5736 + Virus database 8919. ( the vulnerability was fixed after the company released a patch on March 12, 2015 )

While the security companies have fixed the flaw, and released updates, you may want to ensure that you are running the latest available versions of your security software.

In case you would like to check if your computer is prone to exploitable constant, RWX addresses, you can use “AVulnerabilityChecker” to find the same. It is available at Github.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.