Denial of Service in the protection service provided by Avast Security Premium.
That’s my first blog post in Stolabs, and I would like to share with you a bug that I found in the Avast Sandbox, allowing a denial of service (DoS) attack against the protection service.
For those who don’t know, Avast has a security suite called Avast Premium Security, including a Sandbox promising to run binaries in a virtual environment and preventing any (malicious) changes from being made in the host machine.
Although it looks simple, this bug is interesting as it reflects a phrase of Koret and Bachaalany in The Antivirus Hacker’s Handbook:
[…]A typical computer user may view the AV software as a simple software suite, but an attacker must be able to view the AV on a deeper level.[2015]
In short, an attacker must look beyond the normal antivirus operation, searching for all the exploitation possibilities.
The following report describes a corner case — a software operating condition not predicted by the developer — that, as mentioned, results in a denial of service in all the protection applications offered by the security suite.
While performing an analysis in the Sandbox and realizing that it can virtualize any software execution, the following idea came up: What would happen if all the protection service binaries were to be executed in the sandbox itself?
Performing the aforementioned action and restarting the computer, the sandbox attempted to insert the entire security system into the sandbox itself, resulting in raising an exception and stopping all services. It is worth mentioning that, in normal conditions, an unprivileged user has no permission to stop/interrupt the service or end the process (using Windows task manager).
However, the following question arises: How to automate this action? Luckily, Avast offers a feature that allows you to always run a binary in the sandbox. This feature can be accessed through the Windows check menu by right-clicking any .EXE binary, as shown below:
In order to include all the Avast executables in the Sandbox in an automated way (by enabling the Always run in sandbox option), a Powershell script was created, as depicted in the following image:
By executing this exploit in an unprivileged user session, all Avast protection binaries were successfully included in the Sandbox and, after restarting the computer, the service was no longer started. As proof of concept, the following video illustrates the script execution on a Powershell terminal. However, this script could easily be incorporated into a malware causing denial of service to the entire Avast protection system:
The aforementioned vulnerability was responsibly disclosed to Avast, which in turn accepted the bug, requested some time to create a fix, and offered a reward.
