Sedating the Watchdog: Abusing Security Products to Bypass Mitigations
tldr; design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. In particular, we found a prevalent flaw where anti-virus products allocate memory with RWX permissions at a predictable address.
Introduction
Back in March we disclosed a flaw in AVG which makes exploit-mitigation bypass significantly easier. Bypassing mitigations was possible due to allocation of memory with RWX permissions in a predictable address.
After we discovered this flaw to AVG we decided to check if other anti-virus products are vulnerable to similar issues. Indeed, we found similar design issues at a few other vendors and we have disclosed these issues to them.
Due to the prevalence of this issue, we can assume that this flaw resides in other intrusive applications such as application monitoring programs and other security products such as DLP.
I first kept open tabs in ‘Slimjet’ browser, and then ran the tool… As you said, it disappeared in a flash…
I then first ran the tool, when it prompted for open tabs, I then opened 2 tabs in FF, then next as prompted closed FF, then opened Chrome & 2 tabs in it, the tool then reported vulnerable in chrome processes some PID’s…
Instead of checking the issue itself enSilo has put together a free checking utility called AVulnerabilityChecker which it has uploaded to GitHub.
Independent tests using the tool by Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, suggest that products from Symantec and BitDefender (among others) might be vulnerable. Security products from Microsoft and others avoid the problem, according to preliminary testing.
“We used that vulnerability scanner to check 22 anti-malware products, including a lot that we regularly test,” Edwards told El Reg. “We found that 12 were ‘likely to be vulnerable.”
The tool does not work on my system.
It doesn’t matter if I first open the browser and multiple tabs or first run the tool and then open the browser and multiple tabs.
advantages
few false positives
Reliable results
Open source
Disadvantages
only compatible with Chrome, Firefox and Internet Explorer
Alternative recommendations
description
CHIP Conclusion
CHIP Conclusion to AVulnerabilityChecker
The check on the "AVulnerabilityChecker" is probably the easiest way to check your antivirus program on any gaps.
i also, re-checked now with browsers in reverse order, first tool, then Chrome 2 tabs, close chrome, open FF with 2 tabs, final confirmation, ‘Not Vulnerable’
But, don’t know, why it happenned first time? A mystery…