Avast! Multiple Vulnerabilities

                                                ShineShadow Security Report 22102009-12

TITLE

Avast! Multiple Vulnerabilities

BACKGROUND

Avast! antivirus software represents complete virus protection, offering full desktop \
security including a resident shield. Daily automatic updates ensure continuous data \
protection against all types of malware and spyware. Avast! antivirus is certified by \
both ICSA Labs and West Coast Labs Checkmark. Avast! Professional Edition 4.8 is a \
collection of award winning, high-end technologies that work in perfect synergy, \
having one common goal: to protect your system and valuable data against computer \
viruses, spyware and rootkits. It represents a best-in-class antivirus solution for \
any Windows-based workstation.

Source: http://www.avast.com

VULNERABLE PRODUCTS

Vulnerability #1 (CVE-2009-3524)

Avast! Professional Edition <= 4.8.1351
Avast! Home Edition <= 4.8.1351

Vulnerability #2

Avast! Professional Edition <= 4.8.1356
Avast! Home Edition <= 4.8.1356

DETAILS

Avast! installs some program files with insecure permissions. "Everyone" group has \
"Full Control" rights to the files/folders in the following path: "%Program \
Files%\Alwil Software\Avast4\Data". Its mean that any unprivileged user can modify, \
delete or change permissions of any file in DATA folder. The folder consists of data, \
executable and configuration files. In result multiple attack vectors are possible.

Vulnerability #1 Local privilege escalation (CVE-2009-3524)

A local attacker (unprivileged user) can modify %Program Files%\Alwil \
Software\Avast4\Data\avast4.ini file. "ISAPIFilter1" parameter in avast4.ini contains \
filename or full path to ISAPI filter module – originally "ashWsFtr.dll". An attacker \
can replace the original path by path to the attackers malicious dynamic library \
(DLL). After restart attackers DLL will be loaded with SYSTEM privileges. This is \
local privilege escalation vulnerability.

Vulnerability #2 Denial of Service

A local attacker (unprivileged user) could cause denial of service conditions in \
Avast! by deleting %Program Files%\Alwil Software\Avast4\Data\400.vps file. After \
system restart all Avast! modules failed to load.

EXPLOITATION

An attacker must have valid logon credentials to a system where vulnerable software \
is installed.

WORKAROUND

Vulnerability #1 (CVE-2009-3524)

Alwil Software has addressed this vulnerability by releasing fixed versions of the \
vulnerable products: Avast! Professional Edition 4.8.1356
Avast! Home Edition 4.8.1356
More detail: http://www.avast.com/eng/avast-4-home_pro-revision-history.html
Insecure permissions on DATA folder have not been fixed, vendor solved the \
vulnerability  by securing "ISAPIFilter1" parameter.

Vulnerability #2
No workarounds.

Regarding insecure permissions on DATA folder vendor response the following:
"The issue is addressed in the upcoming avast v5.0 (due this November) but there are \
no plans to do anything about it in the current version (4.x branch)."

DISCLOSURE TIMELINE

25/08/2009 Initial vendor notification. Secure contacts requested.
26/08/2009 Vendor response 
27/08/2009 Vulnerability details sent (Vulnerability #1). Confirmation requested. No \
reply. 01/09/2009 Vulnerability details sent (Vulnerability #1). Confirmation \
requested. 03/09/2009 Vendor accepted issue for investigation
23/09/2009 Update status query sent to vendor. No reply.
25/09/2009 Vendor released Avast! 4.8.1356. Multiple vulnerabilities have been fixed \
in this version including Vulnerability #1. 01/10/2009 CVE-2009-3524 has been \
assigned to Vulnerability #1. 02/10/2009 Vendor has been notified that the Avast! \
4.8.1356 fix described privilege escalation scenario only and does not fix the nature \
of vulnerability – insecure permissions. As the proof the new attack scenario has \
been discovered (Vulnerability #2) and vendor has been notified. No reply. 06/10/2009 \
Resend notification 06/10/2009 Vendor response regarding insecure permissions: "The \
issue is addressed in the upcoming avast v5.0 (due this November) but there are no \
plans to do anything about it in the current version (4.x branch)." 22/10/2009 \
Advisory released

CREDITS

Maxim A. Kulakov (ShineShadow) 
ss_contacts[at]hotmail.com