Vulners
Lucene search
Avast! Multiple Vulnerabilities
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | avast! Professional Edition < 4.8.1356 Multiple Vulnerabilities | 27 Oct 200900:00 | – | nessus |
 | CVE-2009-3524 | 1 Oct 200916:00 | – | cve |
 | CVE-2009-3524 | 1 Oct 200916:00 | – | cvelist |
 | EUVD-2009-3506 | 7 Oct 202500:30 | – | euvd |
 | CVE-2009-3524 | 1 Oct 200917:00 | – | nvd |
 | avast! Multiple Vulnerabilities (Oct 2009) - Windows | 8 Oct 200900:00 | – | openvas |
| avast! Multiple Vulnerabilities - Oct09 (Windows) | 8 Oct 200900:00 | – | openvas |
 | Code injection | 1 Oct 200917:00 | – | prion |
 | Avast! Multiple Vulnerabilities | 23 Oct 200900:00 | – | securityvulns |
| Avast! Antivirus weak permissions | 23 Oct 200900:00 | – | securityvulns |
10
ShineShadow Security Report 22102009-12
TITLE
Avast! Multiple Vulnerabilities
BACKGROUND
Avast! antivirus software represents complete virus protection, offering full desktop \
security including a resident shield. Daily automatic updates ensure continuous data \
protection against all types of malware and spyware. Avast! antivirus is certified by \
both ICSA Labs and West Coast Labs Checkmark. Avast! Professional Edition 4.8 is a \
collection of award winning, high-end technologies that work in perfect synergy, \
having one common goal: to protect your system and valuable data against computer \
viruses, spyware and rootkits. It represents a best-in-class antivirus solution for \
any Windows-based workstation.
Source: http://www.avast.com
VULNERABLE PRODUCTS
Vulnerability #1 (CVE-2009-3524)
Avast! Professional Edition <= 4.8.1351
Avast! Home Edition <= 4.8.1351
Vulnerability #2
Avast! Professional Edition <= 4.8.1356
Avast! Home Edition <= 4.8.1356
DETAILS
Avast! installs some program files with insecure permissions. "Everyone" group has \
"Full Control" rights to the files/folders in the following path: "%Program \
Files%\Alwil Software\Avast4\Data". Its mean that any unprivileged user can modify, \
delete or change permissions of any file in DATA folder. The folder consists of data, \
executable and configuration files. In result multiple attack vectors are possible.
Vulnerability #1 Local privilege escalation (CVE-2009-3524)
A local attacker (unprivileged user) can modify %Program Files%\Alwil \
Software\Avast4\Data\avast4.ini file. "ISAPIFilter1" parameter in avast4.ini contains \
filename or full path to ISAPI filter module – originally "ashWsFtr.dll". An attacker \
can replace the original path by path to the attackers malicious dynamic library \
(DLL). After restart attackers DLL will be loaded with SYSTEM privileges. This is \
local privilege escalation vulnerability.
Vulnerability #2 Denial of Service
A local attacker (unprivileged user) could cause denial of service conditions in \
Avast! by deleting %Program Files%\Alwil Software\Avast4\Data\400.vps file. After \
system restart all Avast! modules failed to load.
EXPLOITATION
An attacker must have valid logon credentials to a system where vulnerable software \
is installed.
WORKAROUND
Vulnerability #1 (CVE-2009-3524)
Alwil Software has addressed this vulnerability by releasing fixed versions of the \
vulnerable products: Avast! Professional Edition 4.8.1356
Avast! Home Edition 4.8.1356
More detail: http://www.avast.com/eng/avast-4-home_pro-revision-history.html
Insecure permissions on DATA folder have not been fixed, vendor solved the \
vulnerability by securing "ISAPIFilter1" parameter.
Vulnerability #2
No workarounds.
Regarding insecure permissions on DATA folder vendor response the following:
"The issue is addressed in the upcoming avast v5.0 (due this November) but there are \
no plans to do anything about it in the current version (4.x branch)."
DISCLOSURE TIMELINE
25/08/2009 Initial vendor notification. Secure contacts requested.
26/08/2009 Vendor response
27/08/2009 Vulnerability details sent (Vulnerability #1). Confirmation requested. No \
reply. 01/09/2009 Vulnerability details sent (Vulnerability #1). Confirmation \
requested. 03/09/2009 Vendor accepted issue for investigation
23/09/2009 Update status query sent to vendor. No reply.
25/09/2009 Vendor released Avast! 4.8.1356. Multiple vulnerabilities have been fixed \
in this version including Vulnerability #1. 01/10/2009 CVE-2009-3524 has been \
assigned to Vulnerability #1. 02/10/2009 Vendor has been notified that the Avast! \
4.8.1356 fix described privilege escalation scenario only and does not fix the nature \
of vulnerability – insecure permissions. As the proof the new attack scenario has \
been discovered (Vulnerability #2) and vendor has been notified. No reply. 06/10/2009 \
Resend notification 06/10/2009 Vendor response regarding insecure permissions: "The \
issue is addressed in the upcoming avast v5.0 (due this November) but there are no \
plans to do anything about it in the current version (4.x branch)." 22/10/2009 \
Advisory released
CREDITS
Maxim A. Kulakov (ShineShadow)
ss_contacts[at]hotmail.com
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Oct 2009 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.00051