
Avast Antivirus Remote Stack Buffer Overflow with Magic Numbers - landave
https://landave.io/2017/06/avast-antivirus-remote-stack-buffer-overflow-with-magic-numbers/
======
jacquesm
Avast Antivirus, now with free remote reset option.

I always hated anti virus packages both for the fact that AV vendors profit on
something that shouldn't be required in the first place and because that
software tends to hook into lots of places in the OS so _if_ a backdoor is
found you are immediately in big trouble.

~~~
Scea91
> I always hated anti virus packages both for the fact that AV vendors profit
> on something that shouldn't be required in the first place

You must hate a lot of things then.

------
_Codemonkeyism
No one gets fired for installing Antivirus on every computer. From my
experience enterprise IT is driven by checklist, looks good on paper, cover-
my-* decisions. People are not interested in doing the right thing in large
companies.

In one company every developer was forced on Antivirus without file exceptions
making compilations a huge pain.

~~~
pjmlp
The majority of customers I work with, that is part of the standard IT image,
regardless which OS your computer might have.

~~~
_Codemonkeyism
Yes.

And I guess non-glued usb ports on every computer.

And users that put every USB stick in their computer they are handed by
strangers in front of the office. Or they find on the printer. Especially when
labeled "Pictures".

Because

    
    
        CEO: Have we Antivirus installed?
        CIO: Yes.
    

Not

    
    
        CEO: Are we secure? 
             How does your risk analysis look like?
             Do we internal or perimeter defense?
        CIO: ...

~~~
pjmlp
They don't need to glue USB ports, because IT is intelligent enough to disable
access to them via OS configuration.

I never understood the stupidity of some people to glue them instead of using
OS policies.

~~~
_Codemonkeyism
I have never seen a company, large or small, which disabled USB ports. Because
convenience is always higher rated than security.

Glueing is much easier, can't fail with wrong configurations or roll outs,
works if people have too many permissions on Linux and in a myriad of other
ways.

~~~
pjmlp
The companies I work for, security is always higher rated than convenience.

You could buy several houses, or be settled for life, with the costs to cover
an eventual security breach.

~~~
_Codemonkeyism
Great to hear there are companies that take security seriously.

The companies I've consulted with had USB not secured in the Laptops of the
marketing departments I've seen - and yes some of them lost several hundred
millions of $ b/c of breaches in revenue.

------
bazzargh
Adobe deserve a pile of the blame here for the pdf spec - it only requires the
magic to appear in the first 1024 bytes[1] (and that %EOF appears in the last
1024) - thus allowing silly tricks like PDFs that are also another file type
[2].

[1]
[http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdf...](http://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf)
section 3.4.1

[2] [https://www.slideshare.net/ange4771/a-binary-
chimera](https://www.slideshare.net/ange4771/a-binary-chimera)

~~~
landave
I agree with the pdf spec allowing some insane stuff.

However, I think it's quite a stretch to put any blame on Adobe for this one.

In essence, Avast has implemented their own std::vec in C for the management
of the magic numbers, and they implemented it quite poorly.

As mentioned in the article, the find_magicnums function supports roughly 300
(!) different magic numbers. Adobe's PDF is not required at all to exploit
this bug.

------
baq
this is the second AV fiasco in recent months. is it safe to say that running
an antivirus is actually increasing your risk instead of decreasing it?

~~~
zurn
Yes. For organizations the harm is compounded because IT and users don't
understand how limited AV is. They think AVs have good detection rate, and
they think AVs can generally "disinfect" your computer when you get pwned, and
think AV doesn't increase attack surface. This leads to the false conclusion
that it's an acceptable risk to use Acrobat Reader and open attachments in
Office etc.

~~~
raverbashing
It probably can catch your average mass-mailed word virus, or an infected usb
drive brought from home, but not much more than that

------
jerardope
Wow. It seems as if this has been discovered by rigorous manual inspection of
the code (as opposed to just fuzzing the binary to death).

Hats off!

~~~
landave
I'm sorry to disappoint you :)

I discovered this via a coverage based fuzzing engine with a dictionary
(containing those magic numbers). Said fuzzing engine is similar to libFuzzer,
but I have designed it with a focus on fuzzing closed source Windows binaries
(PE).

------
skizm
This is probably a dumb question: but how does someone look at the source code
for a commercial product like Avast? Some sort of DLL decompiler or something?
If that is the case are things like function and variable names conserved?
This is probably super trivial, but reverse engineering / pen testing isn't my
area.

~~~
landave
Thanks for the question, I probably should have made this clearer in the
article. Just presenting some pseudocode and typedefs of structs may have
given a wrong impression of how this works.

So to be very clear: I reversed the functions and types without any symbols.
All function names, type names, and variable names from the article are chosen
by me. In the actual code, those names are most likely very different.

For such a simple function as this, all you need is the control flow graph
form of X86 disassembly as linked in footnote 4 of the article.

~~~
kbart
Do you have description on the procedure of how you did all this by chance
(especially, how did you get that graph[0])? I'm interested in reverse
engineering, but can't find many good starting points to do it myself. And
congrats on your achievement, we need more people like you, who put such
shoddy programming practices in broad daylight, especially made by the
companies that are supposed to make us safer.

0\.
[https://landave.io/files/add_magicnum.png](https://landave.io/files/add_magicnum.png)

~~~
landave
The graph is generated by binary ninja [1] fully automatically, and this is
just a screenshot of the tool. Any alternative reversing platform or
disassembly tool like IDA Pro can generate you something very similar.

[1] [https://binary.ninja/](https://binary.ninja/)

------
landave
I am very surprised by the strong interest in this kind of work, and I
appreciate it a lot!

I would love to hear some feedback, in the hope that the following posts will
be more enjoyable than this first one.

------
staticassertion
Take a lesson - always write parsers in C and then execute them as root, and
be sure to send as much malicious content to them as possible. Bonus points
for hooking it up to the internet.

~~~
pjmlp
Addicionally ignore all the advices given by the Algol community since the
1960's, in spite of the fact the customers were more than happy with the
output of their compilers.

------
azinman2
I bet Avast is far from the only software that will get really confused with
so many magic numbers in a row like this.

------
Pxtl
You know the edict against rolling your own crypto? It needs to be expanded to
rolling your own collections in c/c++.

~~~
userbinator
This is nowhere near the complexity and subtlety of crypto. Inserting into a
sorted array is an elementary, computer-science-101 level task and I'd
consider it to be not substantially more difficult than writing a correct
FizzBuzz.

Then again, if you consider the number who fail at the latter, and how many
would want to work on AV software anyway, it's no surprise things like this
will happen.

------
raggi
Is the scanning engine sandboxed in any way, or is the stack protector all
there is between a scanner bug and a remote exploit?

~~~
landave
The engine is not sandboxed. I will speak only for the Windows product though,
because this is the only one I looked at in detail. (But the Linux engine is
not sandboxed either).

This is X86 code [1] running as NT AUTHORITY\SYSTEM. Hence, successful
exploitation for arbitrary remote code execution (as NT AUTHORITY\SYSTEM) only
requires circumventing the stack canary.

As mentioned in footnote 6 of the article, they seem to use Control Flow Guard
(CFG) on the latest Windows platforms. However, just as the stack canary, this
is only a mitigation. It does not make exploitation impossible, it just makes
it a bit harder.

[1] In the article, I present a pseudocode version of the relevant function.
If you are interested in the actual X86 instructions, you might want to look
at footnote 4 of the article.

------
TwoBit
That's what you get when you don't use std::vector.

------
kronos29296
You sir are a genius. Hoping for more posts of a similar nature and
bookmarking now.

~~~
landave
Wow, thanks! That means a lot to me. Honestly, I didn't expect this to
interest anyone.

~~~
eyelidlessness
I'd think the discovery of a remote execution bug in a prominent antivirus
product would interest a lot of people.

