Musings tagged as av

Snake oil vendor Avast has pulled v5.45 of its CCleaner suite over privacy controversy. Apparently the latest update made some “minor” changes which resulted in a bit of an outcry. Active monitoring - which translates to yes please send information about me and my system to your servers - could no longer be switched off. Also you could no longer shut down CCleaner anymore. You had to kill the process as there was no way to exit the software normally. Free users got another special treat as sharing your data with 3rd parties could no longer be disabled and was mandatory.

The snake oil vendor who has fallen from grace in western main stream politics Kaspersky has temporarily halted its cooperation with Europol. This came after a vote in the plenary session of the European Parliament which put forward a motion which advises EU states to exclude and ban programs and equipment that have been confirmed as malicious. (Apparently for most politicians this does not fall under common sense)

The problem is that this motion explicitly mentions Kaspersky, so they have been rather peeved in the process.

The big question is: Will the EU now ban Windows 10, Alexa, Cortana, Siri, and several other malicious pieces of tech? ^^

F-Secure Not So Secure

Wed, Jun 6, 2018

Another snake oil vulnerability was unveiled recently. F-Secure allows for arbitrary code execution by means of a specially crafted RAR archive. Since it scans files without asking, there is not much an affected user can do about that if such a file ends up in the claws of his F-Secure Installation.

There is a new security vulnerability, affecting pretty much all Windows versions (CVE-2018-09886), which combines all things that make up for a great failure story. Using outdated open source software, not updating it despite the open source community basically handing you updates on a silver platter, fucking up the code yourself, and then mixing this with anti virus. What could possibly go wrong?

Microsoft has forked a very old version of the open source tool unrar, which is - as the name suggests - used to unpack rar files. They then incorporated the unrar code into their own anti virus solution Windows Defender. However, before doing so they changed parts of the code, in particular they modified signed integers into unsigned integers and removed some checks against values having negative values, even if those values were still unsigned integers.

What this means is that you can tell the software to start writing at address + offset, and if you set offset to -2 you end up in the memory space before your allocated buffer memory. With this you can not only make the av engine crash, but you can also execute arbitrary code. This code then gets executed with the rights of the av engine which runs as LocalSystem and can basically do pretty much everything that is of interest.

All you need is a compromised raw file that sets a negative offset and the victim only has to download it. No manual execution is required afterwards as the av engine will automatically scan the rar file, get its memory corrupted, and things proceed from there. If you do not use av, you are safe. Even if you open the rar manually with winrar, or anything that uses the official open source unrar code, you are safe because that bug is not present there and the code stops if offset < 0. This only works with the av engine enabled.

It also looks like this bug might have been around since 2012 and Sophos av was affected back then as well. Fun times with anti virus software, the modern version of snake oil. And some people even pay for this shit.

Using Windows? The art of process doppelgänging can now be yours no matter your flavour of Windows. Security researchers presented their work at BlackHat and according to their presentation they are able to circumvent detection by AV (another nail in the coffin for those) by using NTFS operations to write to a file, turn part of the file into a transaction section, and create a process from it. Afterwards they roll back the transaction and there is no trace left of what they did.

Even better, apparently this attack is unpatchable as it “exploits fundamental features and core design of the process loading mechanism in Windows”. It does rely on undocumented functions which bleepingcomputer lists as something positive. I’d say it’s just a matter of time before this stuff will be documented for those who are interested in it. Since when has “Only a few people know about this” ever been a good defense?

1