Avira Free Antivirus DLL Hijacking

`Hi @ll,  
  
Avira's free antivirus full package executable installers,  
avira_antivirus_en-us.exe, avira_antivirus_de-de.exe etc.,  
available from  
<https://www.avira.com/en/download/product/avira-free-antivirus>,  
<https://www.avira.com/de/download/product/avira-free-antivirus>  
etc., have multiple vulnerabilities:  
  
  
1. the full package executable installers (really: self-  
extracting RAR archives) extract their payload (the real  
installer) into the directory "%TEMP%\RarSFX0\"  
  
This directory is NOT protected against tampering, i.e. the  
extracted payload can be replaced by an unprivileged attacker  
who has access to the respective user account, or by malware  
already running under this user account.  
  
  
2. after extraction the self-extractor starts the unpacked  
"%TEMP%\RarSFX0\presetup.exe" ELEVATED, eventually  
displaying an UAC prompt.  
  
An unprivileged attacker who modified "%TEMP%\RarSFX0\presetup.exe"  
between extraction and execution can trick the user to start a  
rogue program with administrative privileges.  
  
  
3. "%TEMP%\RarSFX0\presetup.exe" loads multiple (system) DLLs  
from its application directory "%TEMP%\RarSFX0\", and starts  
several programs, for example "%TEMP%\RarSFX0\setup.exe".  
  
All these DLLs and programs are executed with administrative  
privileges too; an unprivileged attacker who (re)placed these  
files in "%TEMP%\RarSFX0\" gains escalation of privilege to  
"Administrator".  
  
  
4. "%TEMP%\RarSFX0\setup.exe" installs several Windows services  
which run under the SYSTEM account.  
  
An unprivileged attacker who replaced the service executables in  
"%TEMP%\RarSFX0\" gains escalation of privilege to "SYSTEM".  
  
  
Proof of concept:  
~~~~~~~~~~~~~~~~~  
  
1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>  
and <http://home.arcor.de/skanthak/download/SENTINEL.EXE>  
and save them in your "Downloads" directory;  
  
2. create the following batch script in an arbitrary directory:  
  
--- POC.CMD ---  
:WAIT_DLL  
@If Not Exist "%TEMP%\RarSFX0" Goto :WAIT_DLL  
  
For %%! In (UXTheme Version DWMAPI) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.DLL" "%TEMP%\RarSFX0\%%!.DLL"  
  
:WAIT_EXE  
@If Not Exist "%TEMP%\RarSFX0\setup.exe" Goto :WAIT_EXE  
  
Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\RarSFX0\setup.exe"  
--- EOF ---  
  
3. download "avira_antivirus_en-us.exe" and save it in your  
"Downloads" directory;  
  
4. start the batch script POC.CMD;  
  
5. start the downloaded "avira_antivirus_en-us.exe" and notice  
the message boxes displayed from the DLLs and EXE placed in  
"%TEMP%\RarSFX0\" by POC.CMD  
  
PWNED!  
  
  
Mitigations:  
~~~~~~~~~~~~  
  
* Don't use executable installers! NEVER!  
  
* Don't use crapware which runs executables from unsafe  
directories like %TEMP%!  
  
* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use  
<https://msdn.microsoft.com/en-us/library/aa374928.aspx> to  
decode it to "deny execution of files in this directory for  
everyone, inheritable to all files in all subdirectories".  
  
  
stay tuned  
Stefan Kanthak  
  
  
PS: of course Avira's anti-virus has some more beginner's errors:  
outdated and vulnerable 3rd-party libraries!  
  
- libcurl.dll 7.39.0  
the current version is 7.50.1, with MULTIPLE fixed vulnerabilties;  
see <https://curl.haxx.se/docs/vulnerabilities.html>  
  
- ssleay32.dll and libeay32.dll 1.0.2.5 from OpenSSL 1.0.2e  
the current version is 1.0.2h, with MULTIPLE fixed vulnerabilities;  
see <https://openssl.org/news/vulnerabilities.html>  
  
  
Timeline:  
~~~~~~~~~  
  
2016-07-15 vulnerability report sent to vendor  
  
NO RESPONSE, not even an acknowledgement of receipt  
  
2016-08-29 report published  
  
  
`