AVG, McAfee, Kaspersky Antiviruses All Had a Common Bug

An anonymous reader writes: Basic ASLR was not implemented in 3 major antivirus makers, allowing attackers to use the antivirus itself towards attacking Windows PCs. The bug, in layman terms, is: the antivirus would select the same memory address space every time it would run. If attackers found out the memory space's address, they could tell their malicious code to execute in the same space, at the same time, and have it execute with root privileges, which most antivirus have on Windows PCs. It's a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization) to prevent their code from executing in predictable locations. Affected products: AVG, McAfee, Kaspersky. All "quietly" issued fixes.

Not a major bug

ASLR is what you fall back on when all your primary defenses are shot - the equivalent of not closing the blinds rather than leaving a window open.

Re:Not a major bug

[arth1]

Correct. Determinable address space is not a security problem in itself - it requires other security problems to be exploitable. And figuring out what the address space is in real-time is not that hard either; it just makes it harder. It's automated security through obscurity.

In some cases, it is preferable to make it sligtly easier for intruders who are already inside the system, in order to reap the benefits. Programs like "rebase" for Windows and "prelink" for Linux can preload a known address table into executables ahead of time, making them start faster and use less memory, because reallocation does not have to occur at load time.
Especially in an embedded world, that can make a boatload of difference.
Some look for silver bullets and want to impose ASLR (no, not the cameras) and https everywhere, whether needed or not, without considering the price of doing so. TANSTAAFL, and no silver bullets. They all come at a price, and sometimes the price is not right.

Fix the other security problems, and ASLR gives no added value, only drawbacks. But on a badly maintained system running software of dubious security value, sure, it can be a good addition. But make no mistake - it doesn't plug any holes, it just makes existing holes harder to exploit. At a cost.

My what a headline

[chispito]

Let me guess: the bug was somebody set up them the bomb?

Re: My what a headline

Affected users are advised to make their time and take off every ZIG.

Re: My what a headline

[jfdavis668]

For great justice

Re:My what a headline

[SeaFox]

I was going to guess there was this one weird trick to solve it that PC repair technicians don't want us to know!

Next thing to be exploited

[ThatsNotPudding]

...a basic requirement these days for software programmers to use ASLR (Address Space Layout Randomization)...

Want to place your bets that most / all ASLR systems are predictably NOT random in their randomization?

Re:Next thing to be exploited

[Zero__Kelvin]

Which is besides the point. They are basically saying: All that is required to exploit this "weakness" is to already have compromised the system to the degree that you can write to another processes code space! It is another nothing to see here, move along" article, where the person writing it doesn't understand how computers work.

Re:Next thing to be exploited

[Aaden42]

Given the (very low) complexity that's possible in bootstrap level shell code before you've found usable libraries, it doesn't take a tremendous amount of randomness to make it intractable to exploit something in an ASLR environment. You might have a handful of usable executable bytes to use. You can't call ANY library code until you find it in memory. Shell code needs to be super simple until it manages to find enough library code to do usable things and possibly load a second stage for itself from somewhere.

Re:Next thing to be exploited

[edtice1559]

It doesn't matter if it's predictable or not as long as it varies from run to run. The most common exploit that ASLR prevents is a stack-smashing buffer-overrun. You send in some data that you manage to get written to the stack. But you can't know a priori what the values will be when sending your data unless you already have some other knowledge of the system. So it's unlikely that you can exploit the buffer overflow. Without ASLR it's easy to know the addresses of system functions and to craft some data that will exploit a stack-smashing vulnerability. If the algorithm were absolutely terrible (always put function X at address YYYY on odd days) there may be some way to try to exploit. But even a week random generator is good enough in this case. The reason that a weak random generator doesn't work for cryptography is that I can analyze the message "offline" and try as many iterations as I want. When attacking a running system with a stack smashing attack, it's either going to crash or be exploited on each attempt so I won't get very many tries.

Re:Anti-virus

[hort_wort]

Do people really still run this shit?

Malwarebytes has caught a number of things for me, including blocking things like OpenCandy from installing alongside certain programs I like. I've seen far less gain from installing different AV programs to work with it. Mostly they just slow down or break certain programs. Meh.

Re:Shouldn't this be done at the OS level?

[sexconker]

Windows users can download EMET to do this.
It's from MS and it's free. It lets you force a bunch of shit (like ASLR), lets you set up certificate pinning for websites (trust only certain certs or block specific certs), etc.
https://technet.microsoft.com/...

Re:Anti-virus

[phishybongwaters]

ACtually yes corporations actually care about antivirus, Kaspersky is one of the heavy hitters in this regard, and now I have to go verify our half assed implementation is patched. And you can fix stupid with software by locking down and limiting the amount of stupid things mr stupid can do. The fantasy of "no viruses if you have no script and don't visit porn sites" is that, a fantasy that evaporated a long time ago. Those of us tasked with securing windows servers and clients (I'd laugh if it didn't make me die inside) have to deal with real stupid, not theoretical internet stupid.

Lack of ASLR is not a bug

[mrjb]

Lack of ASLR is not a bug. It's a lacking feature. Arguably, it's the compiler's responsibility to make it happen. Having said that, I find it real hard to get virus infections nowadays. There might be something to this "common sense" thing about not running any software from untrusted sources. That, and user/kernel space separation.

Re:Lack of ASLR is not a bug

[arth1]

Religious porn web sites, on the other hand, seem reasonably safe.

the biggest problem was the vendor.

[nimbius]

the thing that made antivirus --and still makes it -- such a pain in the ass is the fact that PC vendors include some crippled demoware trial version that, once monthly, becomes self aware and marks the entire vendor bloatware suite as some kind of second coming of hitler. its also worth noting that once this version expires it floats atop the OS as a bloated corpse sucking resources and occassionally bitching about the cash it needs to continue its reign of bitchery. Its nearly impossible to remove it without 3 passwords and your firstborn, and if you ever accidentally install another antivirus alongside it well then buckle up for the ride because your PC is about to heat up like a hot pocket as shitware 2.2 brawls to the death with whatever 6 gigabyte flaming turd mcafee or norton have squeezed out this year.

and antivirus isnt just antivirus, heavens no. its full system shield defense chevron carbunkle 5.5 with the privacy protection cup suite. every bit of data going in or out will be funneled through this application and like some multi-lane closure on the 405 most traffic will grind to a glorious halt while its inspected, detected, and ultimately forgotten.

Re:the biggest problem was the vendor.

[CrashNBrn]

most traffic will grind to a glorious halt while its inspected, detected, and

Don't you mean, "Injected, Inspected, Detected, Infected, Neglected and Selected."
--- Arlo Guthrie.

Re:the biggest problem was the vendor.

The best security product around for several years now is found at adblockplus.org.

That was brought up at Kiwicon a year ago

[SumDog]

This issue was bought up at Kiwicon a year ago. Some pen-tester showed that a majority of anti-virus software doesn't use ASLR. Furthermore, he shows buffer-overflows and other memory errors in most of their scanners! You could infect most systems with the right malformed PDF or JPEG. It just needed to be scanned. The scanners themselves often run as the system user!

Virus scanners are pretty much worse than useless. They're an attack vector.

Re:That was brought up at Kiwicon a year ago

[Tharkkun]

This issue was bought up at Kiwicon a year ago. Some pen-tester showed that a majority of anti-virus software doesn't use ASLR. Furthermore, he shows buffer-overflows and other memory errors in most of their scanners! You could infect most systems with the right malformed PDF or JPEG. It just needed to be scanned. The scanners themselves often run as the system user!

Virus scanners are pretty much worse than useless. They're an attack vector.

Apparently that's been solved now which was the whole point of the article.

Re:Shouldn't this be done at the OS level?

[Aaden42]

Code needs to be written to be ASLR-compatible. For "normal" code, that means just write the code, flip the compiler flag, and don't do anything stupid with function pointers. For code that's trying to be overly tricky (maybe trying to do simulated execution of viral code in a sandbox to determine actual behavior from encrypted polymorphic code), it's not inconceivable that the code might depend on certain libraries and functions being at well-known addresses or within fixed offsets of each other. The more assembler or low-low level C you interface with, the more likely you'll encounter something that can't execute properly if relocated.

It's a naive way of writing code, but there's lots of it out there. Force ASLR on, and it crashes pretty spectacularly.

Re:Isn't this the responsibility of the OS?

[mikael]

You do get security enhanced Linux (SELinux). That added things like make files impossible to change (system owned executable files) even for root. But in order install something like the Nvdia device driver blob, you had to disable it, execute the .run file, and then reenable SELinux.

There are also "trusted" UNIX systems which log every file change, modification and permission code.

The idea of shared memory is that the shared memory segment appears as a linear block of memory to the original process that created. Then other processes can request read or read/write access to that memory. The intention is for use with device drivers which need to map a hardware address to the driver address space so it can read/write registers and buffers. Your network driver stores all the received and sent packets in a number of ring buffers. A graphics driver accesses the framebuffer and texture data in a similar way.

Your alternatives are to use TCP/IP sockets or OS managed pipes. Just send down the offset, number of bytes and a pointer to the data that you want to change.

I guess ignorance isn't bliss after all?

[cbhacking]

I get the feeling that you really don't understand how memory exploits work. You seem to be under a very large number of misconceptions, and to have come to all sorts of wrong conclusions based on them. I hope you haven't misled too many other people with your incorrect views on some of the very basics of how operating systems work. Hopefully the following constitutes a "satisfactory explanation" for you:

process X is allowed to overwrite memory belonging to process Y, thus causing Y to do BADSHIT when it jumps to that location

No, it's not. That hasn't been possible on any mainstream OS for many years (DOS/16-bit Windows, maybe old versions of Mac OS?). I mean, you can do it using debug APIs (on Windows, see things like WriteProcessMemory), but if your code has privileges to debug a high-privilege process it could also just do "BADSHIT" directly. A low-privileged process (which you already have code execution in, if you're talking about calling WriteProcessMemory) can't debug a high-privileged one.

why stack overflow is still a problem

What do you think the silver bullet is for stack overflows, then? Using counted functions is vulnerable to off-by-one errors (or other things that specify the wrong count), integer overflows when creating the buffer (malloc(itemcount * sizeof(Item)) will, for sufficiently large itemcount, produce a tiny buffer that will immediately overflow when written to), and many other risks. The closest thing we have is languages that manage their own buffer lengths and such, like Java, Python, JavaScript, and the (other) .NET languages... and those still have implementation errors that lead to memory corruption sometimes (I'm sure you've noticed that JavaScript engines, in particular, are not fully safe even though JS as a language is supposed to be safe). Managed languages are also still significantly slower than optimized C/C++ code, though the difference isn't nearly as bad as it used to be.

Or do you mean mitigating the overflows with DEP and ASLR? First of all, that's not a guaranteed fix; if the attacker can leak an address from the program to use as an offset baseline, or otherwise determine the ASLR mask, then that protection can be bypassed. Second, that assumes that there aren't any executables which insist on being loaded at known addresses... and as this story shows, we still have a ways to go to achieve that.

why process X can heap spray the fuck out of memory and have that shit affect process Y

It can't, unless process Y is consuming output from process X and writing it into its own memory (for example, an antivirus filter scanning a file that a web browser downloaded and wrote to disk). See first point.

OS should be managing memory

It is, as far as assigning memory to processes goes. Within a process' own address space, "managing memory" is literally 100% of what a computer program does (reading values, changing values, setting values, copying values, testing values, etc.). Well-behaved programs don't care what addresses the OS hands it, but not all programs as well-behaved in this way.

Address locations should be randomized

They are, for modern software... unless that software says it's incompatible with this behavior. Since a lot of old software *is* incompatible with this behavior - see above point - the OS defaults to trusting the software. In the case of the AV vendors mentioned in TFA, that's apparently a mistake, but it's not the fault of the OS for trusting the software you told it to install, it's the developer's fault for not making their software as safe as possible, and your fault for installing software that you can't trust to be safe.

Memory should be zeroed out upon allocation (or deallocation, or both)

Not *really* relevant here, but I'll add

Re:Question for the programmers

[cbhacking]

Linker flag, technically, but yes. The compiler produces machine modules which are always at known addresses relative to other parts of the module (but not relative to the address space as a whole), or relative jumps and branches wouldn't work and that would break everything. The linker controls how each module finds the base addresses of other modules. When the OS loads the binary produced by the linker, it can place the modules into memory at addresses controlled by a random mask, and the modules query these (masked) addresses when they are trying to find the addresses of code or data in other modules. However, old OSes always loaded the modules at the same addresses relative to each other (allowing one module to call directly into another, without needing to look up the address of the other module) and therefore the OS doesn't randomize module locations unless the program supports doing so.

On Windows, in Microsoft's SDK, the linker flag to produce a binary that supports random memory layout is /DYNAMICBASE. It's been enabled by default in the last 5 or so versions of Visual Studio.

Re:Isn't this the responsibility of the OS?

[sjames]

Not necessarily. Memory randomization is mostly a protection against stack smashing. A common tactic there is send a message over the net that overruns a buffer with random junk, some code, and a fake return address that overwrites the real one on the stack. It's not that hard *IF* the location of the stack is easy to predict. When the receive function returns, it ends up returning to the attacker's code. If that code can depend on the location of various things in the address space, it can then call those functions itself in order to fetch more attacker code to be run.

Yes, the randomization only helps after something has gone wrong already (the real service shouldn't allow a buffer overflow, naturally), but at that point, the attacker really only has a toe in the door. If you've randomized, the process will crash and (possibly) trigger an investigation. If not, the attacker captures the beachhead and uses it as a base to continue to attack from (possibly privilege escalation, possibly you 'just' become an unwitting bot).

Re:Anti-virus

[Bert64]

As opposed to Microsoft who are known to take marching orders from the NSA?
Unless you actually live in Russia or one of the former soviet countries it's highly unlikely that the FSB cares what you do, so if someone's going to have the keys to spy on you better that it's someone who won't bother to do so.