
AvastSvc.exe contains a full, unsandboxed JavaScript/DOM implementation - phoe-krk
https://github.com/taviso/avscript
======
joshumax
I don't expect much from anti-malware companies, but this is one of those
moments that made me absolutely dumbfounded that someone actually thought
embedding an entire un-sandboxed JS engine with SYSTEM privileges was in any
way a good idea. I actually had to get out of bed, open IDA, and start a
Windows VM just to check that this wasn't some sort of elaborate hoax!

This isn't some MIDI parser logic, it's an entire JS interpreter that can
parse DOM elements! How in Earth did this even get pushed out to a release?
Did we learn nothing since the last time [1]?

1: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1252&desc=5)

~~~
LeoNatan25
Because low-effort JS developers are now everywhere. Just as JS should not be
found in the server yet is now prevalent, JS is now finding its way into other
places where it shouldn't be. You can't have an entire industry push this
terrible ecosystem, then expect security companies to miss out on the fun.
Locating and hiring C++ engineers at a scale is something that has become
very, very difficult.

~~~
jeltz
As much as I am tired of the crappy code produced by some JS developers this
time they are innocent. If you had read the article you would have known that
the JS code executed here is JS found on the Interent, not any JS written by
Avast. The bugs are in Avast's C++ code (or possibly C).

~~~
LeoNatan25
I have read it. It's not clear what code runs inside the interpreter.

What reason is there to even have such an interpreter in a highly privileged
process?

~~~
benmmurphy
If the interpreter was running code written by Avast then it wouldn't be a
security issue. Having an interpreter running code you have written vs writing
the code in C++ is not necessarily better or worse from a security point of
view.

~~~
tremon
Highly disagree here. Javascript's DOM parsing functionality has but one
purpose: presentation manipulation, i.e. rendering. Having something like that
running as SYSTEM is a security issue in itself, regardless of where the code
comes from.

FFS, even display drivers don't run with full system privileges anymore.

~~~
mosdl
JS has no DOM API, browsers provide JS an API to use. Plus DOM had nothing to
do with rendering, it's just tree manipulation APIs.

------
pilif
The real tragedy is that there are still "security" standards bodies mandating
that AV software is installed on clients. If you want to be PCI-DSS compliant
for example then you better install AV software.

Even worse, sometimes the requirements go even farther and require the AV
software to be third-party - OS built-in solutions don't count.

At this point, the only safe solution is running proper whitelisting to make
sure that only authorized binaries get to run and to keep those binaries up-
to-date and, if possible, sanboxed.

If you have such a setup and then you have to install AV like this because of
security-theatre, you're making your security much, much worse (because in
order to run AV, you have to whitelist it and because AV is apparently written
to quality standards that allow running arbitrary user-supplied JS as SYSTEM)

~~~
dTal
Who defines what "AV" is? Isn't your whitelisting solution also an
"antivirus"?

~~~
SamuelAdams
NIST actually defines most of these standards and definitions. "Antivirus
Software" has two:

A program specifically designed to detect many forms of malware and prevent
them from infecting computers, as well as cleaning computers that have already
been infected.

A program that monitors a computer or network to identify all major types of
malware and prevent or contain malware incidents.

[1]: [https://csrc.nist.gov/glossary/term/Antivirus-
Software](https://csrc.nist.gov/glossary/term/Antivirus-Software)

~~~
blattimwind
> as well as cleaning computers that have already been infected.

That's not a thing.

~~~
zymhan
Well, all AV software seems to offer the option, but I don't know many folks
who would trust it alone.

------
bluesign
I managed to run sample app on linux box.

Observations:

\- I am not sure this is 'full' javascript engine. I am thinking more inline
with static-eval [0]

Example 1: Date.now() returns 'Exception: undefined'

Example 2: console.log([1, 2, 3].map(function(x) { return x; })) returns
'Exception: function(x) { return x; }'

\- I couldn't manage to access DOM document.write("<h1
id='x'>html</h1><script>console.log(document.getElementById('x'));</script>");

returns empty

\- After reversing DLL little bit, seems like it is used as unpacker ( also it
has VBA support )

Still can be some vulnerabilities, but saying running full Javascript/DOM
implementation is 100% wrong

[0] [https://github.com/browserify/static-
eval](https://github.com/browserify/static-eval)

~~~
saagarjha
It doesn't have a bunch of standard functions (or they're not hooked up
correctly?) but it is very much evaluating input.

------
jbverschoor
For as long as I can recall, visusscanners are malware itself.

~~~
411111111111111
Hasn't always been like that however.

I think it's only became like that after the built-in malware detection of
Windows 10 became good enough so the antivirus ventors started adding
"features" to make themselves stand out and look good on Enterprise comparison
charts.

Thinking back on the Windows XP days... You'd be in actual danger if you
didn't use one.

~~~
jeltz
Sure, while they actually caught malware back in the XP days, they were also
still malware and some probably spied on their customers even back then. So
back then it was about picking your poison.

~~~
mcv
If spying on your customers is malware (I think it counts), then Windows 10
itself is malware.

~~~
zentiggr
Not disagreeing in the slightest. My home laptop (Inspiron touchscreen model)
will be on Ubuntu when the HDD gets replaced, with little regret.

~~~
falcor84
I'm a fan of Ubuntu too, but you should note that they don't have a perfect
reputation here either- [https://www.gnu.org/philosophy/ubuntu-
spyware.en.html](https://www.gnu.org/philosophy/ubuntu-spyware.en.html)

~~~
zentiggr
I do remember that, and I admit I haven't researched current distributions
yet, so I'm a few years out of date.

------
detaro
> _Last week, 3 /4 @taviso reported a vulnerability to us in one of our
> emulators, which in theory could have been abused for RCE. On 3/9 he
> released a tool to simplify vuln. analysis in the emulator. Today, to
> protect our hundreds of millions of users, we disabled the emulator._

[https://twitter.com/avast_antivirus/status/12376853435807539...](https://twitter.com/avast_antivirus/status/1237685343580753925)

------
Leace
Very nice writeup!

It contains a link to Avast's Coordinated Vuln Disclosure site:
[https://www.avast.com/coordinated-vulnerability-
disclosure](https://www.avast.com/coordinated-vulnerability-disclosure) and
this has a link to Avast PGP key that's served via unencrypted HTTP:
[http://virfile.avast.com/viruslab/avast-bugs-pgp-
key.txt](http://virfile.avast.com/viruslab/avast-bugs-pgp-key.txt) Not only
that, the key is a weak 1024 bit DSA key :(

~~~
MarioMan
I'm hoping this isn't a dumb question, but why does it matter that a public
key is public-facing and unencrypted?

~~~
jurgemaister
If someone intercepted the communication, they could swap the Avast key for
their own, allowing them to decrypt your message.

------
Trellmor
Someone [1] mentioned this hash
d0e7e0e0287cd5a6ee36c74557ebf70f38235f90c8ce07c75d49721e379503aa [2] for Tavis
to have a look at. Another AV company that ships a js interpreter?

1)
[https://mobile.twitter.com/buherator/status/1237115773409206...](https://mobile.twitter.com/buherator/status/1237115773409206272)

2)
[https://www.virustotal.com/gui/file/d0e7e0e0287cd5a6ee36c745...](https://www.virustotal.com/gui/file/d0e7e0e0287cd5a6ee36c74557ebf70f38235f90c8ce07c75d49721e379503aa/summary)

~~~
saagarjha
A search suggests it's Norton?

------
tjpnz
Has antivirus always been this sloppy? I recall a time in the 90s/early 2000s
where the engineers working on these products were considered the best in the
business.

~~~
dathinab
Actually yes, in the (old) past they where not only "sloppy" but some (view?)
where even malicious in _creating_ a virus which only theire program could
handle (but which also didn't do much damage besides annoying the user).

Through instead of sloppy I would say it's often more on the line of misguided
about what is secure and _overconfident_ about their own skill to write code
without security vulnerabilities. And if the are no vulnerabilities no
sandboxing is needed right (sarcasm).

Through there where and hopefully still are exceptions to this. But don't ask
me which ones because I haven't been on Windows for a long time.

~~~
self_awareness
> Actually yes, in the (old) past they where not only "sloppy" but some
> (view?) where even malicious in _creating_ a virus which only theire program
> could handle (but which also didn't do much damage besides annoying the
> user).

Do you have any proof for that or you just like bullsh __tting people so you
appear knowledgable?

------
bluesign
I don’t have access to windows machine, but what does ‘full’ mean in the
title? Like can it open outgoing network connections? Can load remote code?

~~~
tbrock
The readme shows it runs as SYSTEM which means it can write to disk and make
network calls, etc.

~~~
pilif
well. the process that contains the JS engine can. The JS engine itself seems
to be limited to what JS engines in browsers can normally do, so no
intentional file system access.

However as the README says, this is a custom built implementation, built by a
company who believes running a JS engine with SYSTEM privileges is a good
idea. This means that there are probably exploits available and _those_ do get
full access to the system as the highest privileged user.

~~~
TeMPOraL
And, let me guess - this JS scan is a part of their "web protection" stuff
that runs on the websites you browse? Because that would mean attackers can
drive-by exploit a lot of people with a bit of malicious script attached to an
ad.

~~~
saagarjha
> That service loads the low level antivirus engine, and analyzes untrusted
> data received from sources like the filesystem minifilter or intercepted
> network traffic.

------
ksec
Just wondering, Has it got anything to do with [1] Sciter, the UI Library many
AV software are using?

[1] [https://sciter.com](https://sciter.com)

~~~
cmiles74
I wouldn't be surprised if Sciter comes bundled with a VM for running JS, but
it's not explicit on their website. They do position themselves an an
alternative to Electron. And it looks like every anti-virus package uses this
product.

"In almost 10 years, Sciter UI engine has become the secret weapon of success
for some of the most prominent antivirus products on the market: Norton
Antivirus and Internet Security, Comodo Internet Security, ESET Antivirus,
BitDefender Antivirus, and others. The use of HTML/CSS has allowed their UI to
stay in touch with modern GUI trends throughout all these years, and will
continue to well into the future.

Sciter Engine is a single, compact DLL of 5+ Mb in size. Application using it
are 10+ times smaller than the ones built with Electron or Qt. And size of the
distribution matters, one of main Sciter’s customers discovered “golden 40
seconds” rule: for the user, to buy a product, it should not take more than 40
seconds from the click on “download” button to the UI to appear on screen."

\---

As mentioned by others, this would be separate from the JavaScript VM
mentioned in the OP and would not run as a privileged account (it would just
be the UI people interact with).

~~~
whoopdedo
> one of main Sciter’s customers discovered “golden 40 seconds” rule: for the
> user, to buy a product, it should not take more than 40 seconds from the
> click on “download” button to the UI to appear on screen."

Is this another case of a metric becoming a target and thus no longer useful
as a metric? The quality of software should be how well it performs its
intended purpose, not by the conversion rate of the user funnel.

~~~
gmueckl
You can have the best performing software in the world and it is still worth
exactly nothing if you can't sell. The reality is that cheaply developed
software that sells well is usually good business.

------
ComradeUlyanov
Most third-party AV software today is useless adware/bloatware. On my Windows
machine I rely on Windows Defender + MBAM, never had any malware infection.

------
JyB
Isn't Avast is the same software that auto-includes a signature inside all the
mails you send? Without a browser extension.

------
trulyrandom
Apparently Avast has now disabled the JavaScript interpreter for all of their
users:
[https://twitter.com/taviso/status/1237745571009409029](https://twitter.com/taviso/status/1237745571009409029).

------
jpxw
[https://www.avast.com/bug-bounty](https://www.avast.com/bug-bounty)

Have at it

------
saagarjha
Unrelated:
[https://github.com/taviso/loadlibrary](https://github.com/taviso/loadlibrary)

It lets you call Windows DLL functions from Linux!

~~~
joosters
Maybe post unrelated links as their own HN stories?

~~~
saagarjha
Well, I don't really post Hacker News stories, and given that this was one of
the first links on the page, I felt someone might find it interesting. (It
also indirectly tells people that they can try the thing on Linux…)

~~~
jfk13
Well, I hadn't seen that before and thought it's pretty cool, so I posted it
in case others might also find it interesting:
[https://news.ycombinator.com/item?id=22544777](https://news.ycombinator.com/item?id=22544777)

------
Gravyness
What can a unsandboxed javascript engine do? can you read files? read data
from my computer's memory? Send my credit card info to the internet? Is this
reading my chrome's profile data or running Node in any way? Access my
camera/microphone/keyboard?

I fail to see how this is a problema and I've been programming with javascript
for 8 years...

~~~
MertsA
If there is no vulnerability in the javascript engine or any of the API they
exposed to it in order to mockup a web browser then it can't do anything. The
problem here is that that's not exactly a tiny attack surface, and modern web
browsers implement defense in depth and sandboxing untrusted code for very
good reasons. If there was some RCE for a part of this javascript engine,
you're not just executing inside of some locked down environment, you're not
just executing code as an untrusted user, you're executing code in a process
with SYSTEM level permissions.

This is like putting a 2 meter wide thermal exhaust port on your death star.
On the off chance someone manages to hit it, game over. This process runs
untrusted code so if you can get a file opened on the target computer, or even
just get the user to go to a malicious website, you can try to attack this.
Once you get some payload running yeah you could use bog standard crimeware to
sniff out any credit card details entered, export your saved passwords from
your web browser, look for any wallet.dat equivalents and run a keylogger
waiting for you to decrypt it, drop some ransomware on the system, etc. This
gives full control over the system if you find an exploit to it.

But yeah, this isn't immediately a vulnerability, just a poor design decision
and a very juicy target.

~~~
saagarjha
> This is like putting a 2 meter wide thermal exhaust port on your death star.

Except it's probably more like the second Death Star because it's unfinished
and there's a gaping hole in the side of it that you can just fly in.

~~~
MertsA
Nah, that was Chromodo.

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=70...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=704)

------
wnevets
Using a third party antivirus solution in 2020 just sounds like a bad idea.

------
mothsonasloth
I am unable to replicate this on Windows 7 x64 (yes I know I should upgrade,
but I am a crusty ol' XP user)

~~~
Causality1
Yesterday on W10 I had to create registry keys to run an installer because the
normal ways of unblocking the executable were simply missing off the menus. I
miss Windows 7 every goddamned day.

~~~
Kipters
There's a cmdlet for that

[https://docs.microsoft.com/en-
us/powershell/module/microsoft...](https://docs.microsoft.com/en-
us/powershell/module/microsoft.powershell.utility/unblock-
file?view=powershell-7)

~~~
quietbritishjim
Or you can right click on the file in explorer, choose properties, uncheck the
checkbox at the bottom (I forget the text in it, sorry) then click OK.

~~~
Causality1
That's the problem. The executable was missing the Unblock checkbox despite
throwing an "app has been blocked for your protection" pop-up.

~~~
dathinab
If I remember correctly there is a version of Windows 10 which has server
restrictions on what you can do, including it fully blocking "untrusted"
installs. In turn it's a bit cheaper. But I'm not sure what they named it,
maybe that was related to it. Also it's not uncommon for Windows to be able
use features your version didn't had through the command line.

Edit: sorry swipey keyboard messed up some words.

~~~
thenewnewguy
There's Windows 10 "in S mode" which does this, but it's not a version of
Windows sold at a discount, just a "mode" you can run Windows in. It's
possible to (irrevocably) change from S mode to normal Win10.

------
0xDEEPFAC
Typical modern application development. "Javascript all the the things"
because "we can make good UIs!" with no regard for safety, speed, or
reliability.

------
dd82
Security theater at work

