SentinelOne said they found two serious vulnerabilities in Avast and AVG antivirus products. Both are linked to their common anti-rootkit driver aswArPot.sys. Vulnerabilities appeared in the code with the release of Avast 12.1 in 2012, but all this time they remained unnoticed.
Experts identified bugs in December 2021. Then they received the identifiers CVE-2022-26522 and CVE-2022-26523. In February, the vulnerabilities were fixed with the release of version 22.1.
The function first attaches the current thread to the target process and then uses nt!PsGetProcessPeb to get a pointer to the PEB of the current process (red arrow). It then retrieves (for the first time) PPEB->ProcessParameters->CommandLine.Length to allocate a new buffer (yellow arrow) and copies the user-provided buffer to PPEB->ProcessParameters->CommandLine.Buffer with the size PPEB->ProcessParameters->CommandLine. Length (orange arrow).
SentinelOne rated the vulnerabilities "high severity": they allowed an attacker with limited privileges on the system to execute code in kernel mode and eventually take full control of the device.
“The nature of these vulnerabilities is such that they can be launched from sandboxes and used in a context other than simple local privilege escalation. For example, vulnerabilities can be used in the second stage of a browser attack or to escape from a sandbox. Among the obvious abuses of such problems is bypassing security solutions,” the researchers note. According to them, bugs can be used to disable security products, overwrite system components, damage the operating system, or perform malicious operations without hindrance.
So far, experts have no evidence that the vulnerabilities were exploited in practice.
Avast and AVG
Avast bought AVG in 2016. Their antiviruses are popular all over the world, so the vulnerabilities could potentially affect millions of users.
Meanwhile, Trend Micro detailed the AvosLocker ransomware, which used a different issue in the same driver to disable antivirus products in its attacks. AvosLocker was first discovered in July 2021. Over the past few months, he’s had a few new options.