100% found this document useful (2 votes)
322 views40 pages

Attacking Anti Viruses 1

The document discusses attacking antivirus software by finding vulnerabilities. It outlines reasons antivirus is vulnerable including being error prone when handling unpredictable file formats. It then describes techniques for auditing antivirus like checking for local privilege escalation issues, vulnerabilities in ActiveX controls, source code audits, reversing file parsers, and fuzzing. Examples of discovered vulnerabilities are also listed.
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
100% found this document useful (2 votes)
322 views40 pages

Attacking Anti Viruses 1

The document discusses attacking antivirus software by finding vulnerabilities. It outlines reasons antivirus is vulnerable including being error prone when handling unpredictable file formats. It then describes techniques for auditing antivirus like checking for local privilege escalation issues, vulnerabilities in ActiveX controls, source code audits, reversing file parsers, and fuzzing. Examples of discovered vulnerabilities are also listed.
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 40

Attacking Antivirus

Feng Xue

Nevis Labs

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 1


Who Am I

• Technical Lead at Nevis Labs


• Most of the time working on the
– Vulnerability discovery
– Vulnerability analysis
– M$ Black Tuesday, etc.
• Discovered over 30 vulnerabilities in the popular
software, including Microsoft, Symantec, Apple, Trend
Micro, HP, Real Networks, etc.
• Recently focused on the Antivirus software security
– Lots of AV vulnerabilities.

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 2


Outline

• Why can AV be targeted


• Finding vulnerability of Antivirus
• Exploiting Antivirus
• Few words
• Future work

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 3


Why Can Antivirus Be Targeted

What if attackers
attack antivirus?
• People trust Anti-virus too much
– “I am safe, because I have installed an Antivirus!”

• Antivirus serves the security gate for incoming files

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 4


Why Can AV Be Targeted - Continue

• Antivirus is a common component


– Over 80% of people are using antivirus software [Reference-8]

• Cross-platform exploitation
– As great as the Java and Adobe vulnerabilities

• Antivirus is error-prone

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 5


Why AV is error prone?

• User input (files being scanned) is totally unpredictable

• Too many format to deal with


– How can AV process hundreds of formats correctly?

• Lots of the vulnerabilities exist in the following major


components of Antivirus engine:
Unpack
Decompression

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 6


Finding vulnerabilities of Antivirus

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 7


Audit Antivirus

• Local Privilege Escalation


• ActiveX
• Engine
– Source code audit
– Reversing
– Fuzzing
• Management

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 8


Audit - Local Privilege Escalation

• Weak DACL
– Installation Directory.
– Service. SC.exe

• Driver issues
– IOCTL handler, Insufficient address
space verification . DC2.exe
– SSDT Hook. BSODHook.exe
– Fuzz the Driver! Investigate
the BSOD.

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 9


Audit - Local Privilege Escalation

Demo 1
Rising Antivirus SSDT Hook 0day

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 10


Audit – ActiveX Control

• Installed by Antivirus product; Free Online Scan


Service; Download Manager
Problems:
• Insecure Method: Design error
– CA – SigUpdatePathFTP()
– Kaspersky - StartUploading()
• Buffer Overflow
– Symantec, CA, Authentium, RAV, etc

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 11


Audit – ActiveX Control

Fuzzing and Manually audit


• AxMan Script fuzzer for memory corruption
• ComRaider GUI fuzzer for memory corruption
• OleView Manually audit ActiveX
• FileMon File Operation
• RegMon Registry Operation
• TCPview Port, Network connection
• Wireshark Sniff network traffic

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 12


Audit – Engine

Most of the Engine problem exists in the Format Parsing


• Memory Corruption
– Stack overflow, Heap overflow, Memory Access/Modification
• Denial of Service
– CPU (Most of the AV vulnerable to ZIP/CHM processing
problem in the past)
– DISK Space (NOD32 will eat 4GB disk when scanning a
malicious ARJ file, which is only 1kb, no patch yet)
• Detection Bypass

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 13


Audit – Engine: Source Code

• Must have access to the source code


• Time consuming
• Open Source ClamAV is the best one for practice
– 49 CVE matches

• Tools: FlawFinder, RATS ,ITS4, SPLINT, CodeScan,


Coverity

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 14


Audit – Engine: Reversing

• Reverse the file format plugin one by one!


– Kaspersky: Arj.ppl base64.ppl cab.ppl lha.ppl rar.ppl
– Bitdefender: arc.xmd arj.xmd bzip2.xmd cab.xmd
docfile.xmd
• Typical: Memory allocation, string copy, integer
wrapper
Advantage:
– Effective against all Closed Source AV
– Can uncover more subtle vulnerabilities
Disadvantage:
– Extremely time consuming
– Tools: IDA, Hex-rays
2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 15
Audit – Engine: Fuzzing!

• Few people thought about fuzzing Antivirus


• Few Antivirus fuzzer published
– Vxfuzz – Taviso
– nrun’s private Fuzzer-Framework v1.0
– My in-house script, and yours
• Fuzzing Antivirus is easier than most of the other
fuzzing
• Even a dozen lines script could uncover many
exploitable vulnerabilities!

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 16


Audit – Engine: Fuzzing!

What we need?
• Good samples
– rar, zip, chm, arj, lha, lzh, tar, tgz, doc, xls, upx, fsg, more
– CreateARJ, MakeCAB, WACE, WinZIP, WinRAR, PowerISO,
various PE packers, Google (filetype:xxx)
• A big hard disk.
– For test case
• Debugger
– Windbg, Ollydbg, Immunitydebugger
• Fuzzer
– Original fuzzer is actually a File generator
– Script language: Python/Perl/C
– May need to deal with the CRC

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 17


Audit – Engine: Fuzzing!

How? 4 steps
• Create test case.
– By using the script you wrote, samples created
– 0xFFFFFFFF, 0xFFFF, 0x0000, 0x0001, etc,
• Download the trial version AV and install
• Scan! Do not forget to start the debugger
• Go to Sleep: Leave your computer fuzzing

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 18


Audit – Engine: Fuzzing!

Demo 2
Fuzzing Mcafee Antivirus for 0day ;)

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 19


Audit Result

By auditing the mainstream Antivirus Engine, we have


found and published:
• AhnLab AV Remote Kernel Memory Corruption
• TrendMicro AV UUE Decoding Format String
Vulnerability
• Avast! AV TGZ Parsing Heap Corruption
• Mcafee AV BZIP2 Parsinig Memory Corruption
(working with vendors)
• NOD32 Heap Overflow (unpublished,0day)

• More upcoming

2008-4-1 © 2005 Nevis Networks – Proprietary and Confidential 20

You might also like