Popular Antivirus programs such as AVG, McAfee and Kaspersky were found to be providing easy access for malware attackers to infect PC’s with exploit mitigations. This is said to be happening because of serious design issues that they carry, as explored by Tomer Bitton, the Co-Founder & VP Research at enSilo.
The flaw is said to exist, where anti-virus products allocate memory with RWX (Read-Write-Execute) permissions in a predictable address.
Injecting the malicious code with ease
Injecting a malicious code using the above process seems to be easier than you would otherwise think. Post user-mode creation process, the affected program uses the kernel to inject a small hooking code stub and simultaneously allocates a memory page with RWX (Read-Write-Execute) permissions at a constant/predictable address.
Attackers with access to a compromised third party application can then easily copy the malicious code to the program’s allocated RWX page and execute the malicious code with ease. The exploitation can be in the form of any application be it a word file, pdf or through a browser.
Many Antivirus products could be carrying this issue
As Tomer mentions, the design flaw was first discovered in AVG in March 2015, however soon when it was tested on other anti-virus products, the result disclosed other programs with the same flaw. The effected programs discovered until now, include:
- McAfee Virus scan Enterprise version 8.8. This vulnerability appears in their Anti Malware + Add-on Modules , scan engine version (32 bit) 5700.7163 , DAT version 7827.0000 , Buffer Overflow and Access Protection DAT version 659 , Installed patches: 4 ( the vulnerability was fixed after the company released a patch on August 20, 2015 )
- Kaspersky Total Security 2015 – 188.8.131.521 – kts184.108.40.2061en_7342 ( the vulnerability was fixed after the company released a patch on Sep 24, 2015 )
- AVG Internet Security 2015 build 5736 + Virus database 8919. ( the vulnerability was fixed after the company released a patch on March 12, 2015 )
While the security companies have fixed the flaw, and released updates, you may want to ensure that you are running the latest available versions of your security software.
In case you would like to check if your computer is prone to exploitable constant, RWX addresses, you can use “AVulnerabilityChecker” to find the same. It is available at Github.