While most computer users have an anti-virus product installed, it might not be making your computer safer. A security researcher has claimed to have found exploitable flaws in 14 major anti-virus engines used by some of the largest security vendors. In a presentation by Joxean Koret, a researcher at Singapore-based consultancy COSEINC, we see the details about how he used a custom fuzzing suite to find bugs in 17 of the major antivirus engines. These are the engines that are used by anti-virus software companies like AVG, Bitdefender, ESET, and F-Secure.
Koret explained that almost all of the engines he looked at were written in C and/or C++ coding languages, which could allow attackers to discover and leverage buffer and integer overflow bugs. “Exploiting AV engines is not different to exploiting other client-side applications,” he said. “They don’t offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features.”
If you are interested in software security, this makes for a good read.
AV engines not only need to support such large list of file formats but they also need to do this quickly and better than the vendor.
If an exploit for a new file format appears, customer will ask for support for such files as soon as possible. The longer it takes, the higher the odds of losing a customer moving on to another vendor.
Sample list of vulnerabilities:
- Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty)
- Avg: Heap overflow with Cpio (fixed…)/Multiple vulnerabilities with packers
- Avira: Multiple remote vulnerabilities
- BitDefender: Multiple remote vulnerabilities
- ClamAV: Infinite loop with a malformed PE (reported & fixed)
- Comodo: Heap overflow with Chm
- DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed)
- ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers
- F-Prot: Heap overflows with multiple packers
- F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed)
- Panda: Multiple local privilege escalations (reported and partially fixed)
- eScan: Multiple remote command injection (all fixed? LOL, I doubt…)
Exploiting an AV engine is like exploiting any other client-side application.
- Is not like exploiting a browser or a PDF reader.
- Is more like exploiting an Office file format.