loader gif

​Avast Vulnerability Potentially Allows DLL Hijacking

​Avast Vulnerability Potentially Allows DLL Hijacking
  • Researchers discovered a vulnerability in all editions of Avast Antivirus and AVG Antivirus.
  • Avast Software maintains the AVG Antivirus and Avast Antivirus.

What’s the issue?

Tracked as CVE-2019-17093, the vulnerability allows an attacker to load a malicious DLL file to bypass defenses and escalate privileges.

  • The attacker requires administrative privileges to exploit this bug. Once exploited, the vulnerability allows the loading of malicious DLL in multiple processes.
  • Owing to self-defense mechanisms, even administrators are not allowed to write DLL to the AM-PPL (Anti-Malware Protected Process Light).
  • However, this restriction can be bypassed by writing the DLL file to an unprotected folder from which components are loaded by the application.

Why did this happen?

Researchers present two root causes behind the vulnerability.

  • During their analysis, they discovered that there was a lack of safe DLL loading.
  • Another cause is that code integrity is not enforced in the AM-PPL process. Avast has reportedly disabled code integrity in its implementation.

Potential consequences

When exploited, the vulnerability may result in one of the following scenarios.

  • An attacker may load and execute malicious payloads using multiple signed services. This may allow the malicious actor to perform Application Whitelisting Bypass.
  • The self-defense mechanism of the antivirus may be bypassed. This mechanism allows the monitoring and prevention of changes in the Antivirus directory.
  • The vulnerability can also be exploited to load and execute payloads in a persistent way by an attacker. This means that once a malicious DLL has been injected, malicious code will be loaded by the services on every restart.

What did the Avast team do?

The vulnerability was reported to Avast in August this year. The team acknowledged the vulnerability in September and released version 19.8 for AVG and Avast.

Because all versions below 19.8 are impacted by this vulnerability, it is recommended that users update Avast Antivirus and AVG Antivirus software to the latest version.

loader gif