AVG Remote Administration Bypass / Code Execution / Static Keys

`SEC Consult Vulnerability Lab Security Advisory < 20140508-0 >  
=======================================================================  
title: Multiple critical vulnerabilities  
product: AVG Remote Administration  
vulnerable version: all - except issue #2  
fixed version: none - except issue #2  
impact: critical  
homepage: http://www.avg.com  
found: 2013-12-07  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"AVG Remote Administration" allows the network administrator to remotely  
install, update, and configure AVG across the computer network."  
  
Source:  
http://www.avg.com/eu-en/product-avg-admin  
http://www.avg.com/us-en/faq.num-5307  
  
  
Technology description:  
--------------------  
AVG Remote Administration consists of several components:  
- AVG Admin Server (central server, listens on TCP port 4158)  
- AVG Admin Console (fat client for administration)  
- AVG AntiVirus, Internet Security etc. (managed endpoints)  
  
The Admin Console and the AVG products on endpoints connect to TCP port 4158 on  
the Admin Server using the same protocol.  
  
  
Business recommendation:  
------------------------  
Attackers are able to completely compromise the AVG Admin Server  
system as they can gain full access at the application and system level.  
Attackers can manage endpoints and possibly deploy attacker-controlled code on  
endpoints.  
  
Furthermore endpoints can be tricked into communicating with rogue AVG  
Administration Servers.  
  
All vulnerabilities are based on severe design flaws in the application as well  
as the proprietary protocol. It is highly recommended by SEC Consult not to  
use this software until a thorough security review has been performed by  
security professionals and all identified issues have been resolved.  
  
It is assumed that even more critical vulnerabilities exist.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Authentication bypass / Missing authentication  
The authentication checks for access via the AVG Admin Console (=fat client)  
are done on the client side. The AVG Admin Server sends a list of valid  
usernames/password hashes to AVG Admin Console. As the Admin Console is  
controlled by the client, authentication can easily be bypassed.  
  
Attackers can connect to the AVG Admin Server and manage clients just like a  
legitimate administrator with full privileges using a modified version (checks  
removed using binary patch) of AVG Admin Console.  
  
  
2) Remote code execution  
Attackers are able to set arbitrary configuration settings for the AVG  
Administration Server. Due to insufficient input validation an attacker can  
set the value of a parameter to a UNC path. This path is passed to the Windows  
API LoadLibrary() function. This enables an attacker to provide arbitrary .dlls  
via network shares which are then executed.  
This provides an attacker full access on the operating system as the AVG Admin  
Server runs as SYSTEM.  
  
As the protocol is tunneled via HTTP, this attack is possible via CSRF as well.  
  
  
3) Missing entity authentication  
The used protocol does not provide any functionality to verify the identity  
of communication partners. This allows attackers to pose as an AVG endpoint,  
or act as a rogue AVG Admin Server for an endpoint. Attackers can manage  
clients just like a legitimate administrator.  
  
  
4) Use of static encryption keys and insecure modes of operation  
The protocol level encryption is based on the (symmetric) block cipher  
Blowfish. Hardcoded encryption keys are used by the client as well as the  
server for message encryption.  
This allows an attacker to decrypt and modify the messages.  
  
The Blowfish cipher is used in the electronic codebook (ECB) which enables  
some other attacks. However these attacks are not really relevant at this  
point as the encryption keys are known anyway.  
  
  
Proof of concept:  
-----------------  
1) Authentication bypass  
This vulnerability was verified using a binary patch for AVG Admin Console.  
Only 3 bytes were changed in the Admin Console binary.  
  
Note: This vulnerability might allow direct attacks against clients hence a  
proof of concept exploit has been removed.  
  
A video demonstrating this issue has been released by SEC Consult:  
https://www.youtube.com/watch?v=exiLSy1oo3I  
  
  
2) Remote code execution  
The parameter ClientLibraryName can be set via the StoreServerConfig command  
(command id 0x27). The provided value can be a path to a network share  
containing a malicious .dll file. This .dll file will be executed in the  
context of the AVG Admin Server service which runs as SYSTEM.  
  
  
3) Missing entity authentication  
Attackers can pose as a legitimate AVG Administration Server by responding  
to NBNS queries for the AVG Admin Server hostname or using various  
other techniques (eg. MITM attacks).  
  
Note: This vulnerability might allow direct attacks against clients hence a  
proof of concept exploit has been removed.  
  
A video demonstrating this issue has been released by SEC Consult:  
https://www.youtube.com/watch?v=XYvtwc10dLc  
  
  
4) Use of static encryption keys and insecure modes of operation  
The protocol messages can be encrypted and decrypted using the following python  
code:  
  
from Crypto.Cipher import Blowfish  
  
key='\xA1\x45\xF0\x09\xEA\x7E\x4B\x98\x46\x7A\xEA\xD0\xF4\x6C\xAB\x87\x00\x00\x00\x00\x00\x00\x00\x00'  
cipher = Blowfish.new(key)  
  
def swapendian(s):  
res=[]  
dwords = [s[i:i+4] for i in range(0, len(s), 4)]  
res = [dword[::-1] for dword in dwords]  
return ''.join(res)  
  
def avg_encrypt(plaintext):  
if len(plaintext)%8!=0:  
plaintext+='\x00'*(8-len(plaintext)%8)  
return swapendian(cipher.encrypt(swapendian(plaintext)))  
  
def avg_decrypt(ciphertext):  
if len(ciphertext)%8!=0:  
return 'DECRYPTION ERROR'  
return swapendian(cipher.decrypt(swapendian(ciphertext)))  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in AVG Admin Server version  
13.0.0.2892, which was the most recent version at the time of discovery.  
  
  
  
Vendor contact timeline:  
------------------------  
2014-01-15: Contacting AVG via online support form and requesting security  
contact.  
2014-01-15: Support forwards us to "Jürgen Jakob Software-Entwicklung, AVG  
Authorized Distributor" (sales representative!)  
2014-01-21: AVG support requests technical information.  
2014-01-22: Requesting contact to discuss security issues.  
2014-01-29: Requesting contact to discuss security issues (2nd try).  
2014-02-10: Requesting contact to discuss security issues (3rd try).  
2014-02-12: AVG support explains lack of response because they were  
"experiencing a higher than usual volume of e-mail messages from  
customers" and requests technical information.  
2014-02-24: Requesting encryption keys (S/MIME or PGP).  
2014-03-05: Requesting encryption keys (2nd try). Announcing that advisory will  
be sent via plaintext if no keys are provided.  
2014-03-11: (No response) Sending security advisory and responsible disclosure  
policy as plaintext. Setting deadline to 2014-04-30.  
2014-03-11: Opening a new ticket - referring to previous ticket, advisory and  
proof of concept exploits.  
2014-03-31: (No response) Contacting AVG CTO via LinkedIn, referring to  
previous tickets and requesting encryption key.  
2014-03-31: CTO responds, provides encryption key.  
2014-03-31: Sending advisory and responsible disclosure via encrypted channel.  
2014-04-04: CTO responds with AVG risk assessment:  
#1 low risk "This is by design"  
#2 high risk  
#3 medium risk "This attack is difficult to set up"  
#4 low risk "The cipher is used here just for the obfuscation of  
the traffic, it was not meant to protect any private  
data"  
CTO further mentions that Remote Administration is "no longer  
available for sale for new customers" - this was never substantiated!  
Even the FAQ on the website says differently:  
http://www.avg.com/us-en/faq.num-5125  
2014-04-25: Shifting release deadline to 2014-05-08.  
2014-04-28: CTO responds, announcing that patch for remote code execution  
(issue #2) will be released on 2014-04-29.  
2014-05-06: Requesting confirmation that only remote code execution will be  
fixed.  
2014-05-06: CTO confirms that only remote code execution is fixed.  
2014-05-08: SEC Consult releases security advisory & proof of concept videos.  
  
  
Solution:  
---------  
AVG has _only_ patched the remote code execution vulnerability (issue #2).  
  
The patched version (2013.0.2895) is available via:  
http://download.avg.com/filedir/inst/avg_rad_x86_all_2013_2895.exe  
http://download.avg.com/filedir/inst/avg_rad_x64_all_2013_2895.exe  
  
There is no solution/patch for the remaining, critical vulnerabilities!  
  
  
Workaround:  
-----------  
The workaround is to disable AVG Remote Administration entirely. This requires  
the shutdown of the AVG Admin Server and the deactivation of the Remote  
Administration feature in all clients.  
  
Of course all the central management/reporting/update functionality provided by  
AVG Remote Administration is now not available any more.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck / @2014  
`