Change language
Python.Engineering Wiki Ten-year-old bugs found in Avast and AVG antiviruses

Ten-year-old bugs found in Avast and AVG antiviruses

News
Michael Zippo Michael Zippo 10.05.2022

SentinelOne said they found two serious vulnerabilities in Avast and AVG antivirus products. Both are linked to their common anti-rootkit driver aswArPot.sys. Vulnerabilities appeared in the code with the release of Avast 12.1 in 2012, but all this time they remained unnoticed.

December 2021

Experts identified bugs in December 2021. Then they received the identifiers CVE-2022-26522 and CVE-2022-26523. In February, the vulnerabilities were fixed with the release of version 22.1.

The function first attaches the current thread to the target process and then uses nt!PsGetProcessPeb to get a pointer to the PEB of the current process (red arrow). It then retrieves (for the first time) PPEB->ProcessParameters->CommandLine.Length to allocate a new buffer (yellow arrow) and copies the user-provided buffer to PPEB->ProcessParameters->CommandLine.Buffer with the size PPEB->ProcessParameters->CommandLine. Length (orange arrow).

SentinelOne rated the vulnerabilities "high severity": they allowed an attacker with limited privileges on the system to execute code in kernel mode and eventually take full control of the device.

“The nature of these vulnerabilities is such that they can be launched from sandboxes and used in a context other than simple local privilege escalation. For example, vulnerabilities can be used in the second stage of a browser attack or to escape from a sandbox. Among the obvious abuses of such problems is bypassing security solutions,” the researchers note. According to them, bugs can be used to disable security products, overwrite system components, damage the operating system, or perform malicious operations without hindrance.

So far, experts have no evidence that the vulnerabilities were exploited in practice.

Avast and AVG

Avast bought AVG in 2016. Their antiviruses are popular all over the world, so the vulnerabilities could potentially affect millions of users.

Meanwhile, Trend Micro detailed the AvosLocker ransomware, which used a different issue in the same driver to disable antivirus products in its attacks. AvosLocker was first discovered in July 2021. Over the past few months, he’s had a few new options.

Michael Zippo
2022/05/10

https://linkedin.com/in/michael-zippo-9136441b1
[email protected]

Sources: SentinelOne

Shop

Learn programming in R: courses

$

Best Python online courses for 2022

$

Best laptop for Fortnite

$

Best laptop for Excel

$

Best laptop for Solidworks

$

Best laptop for Roblox

$

Best computer for crypto mining

$

Best laptop for Sims 4

$

Latest questions

NUMPYNUMPY

psycopg2: insert multiple rows with one query

12 answers

NUMPYNUMPY

How to convert Nonetype to int or string?

12 answers

NUMPYNUMPY

How to specify multiple return types using type-hints

12 answers

NUMPYNUMPY

Javascript Error: IPython is not defined in JupyterLab

12 answers

All questions

News

19/08/2022 Study: iOS bug prevents VPN from fully encrypting traffic 19/08/2022 Media: production of systems-on-a-chip M2 Pro and M2 Max will begin at the end of 2022 19/08/2022 YouTube will automatically add watermarks to Shorts videos

Wiki

__del__

Python OpenCV | cv2.putText () method

__del__

numpy.arctan2 () in Python

__del__

Python | os.path.realpath () method

around

Python OpenCV | cv2.circle () method

cvtcolor

Python OpenCV cv2.cvtColor () method

Python functions

Python - Move item to the end of the list

Counters

time.perf_counter () function in Python

__dict__

Check if one list is a subset of another in Python

__del__

Python os.path.join () method