Researcher Denis Skvortcov reports bugs in Avast Antivirus
Denis Skvortcov helps make Avast Antivirus more secure.
We'd like to thank Denis Skvortcov for reporting to us a number of security issues he discovered in Avast Antivirus.
Denis found a way to bypass Avast Antivirus’ self-defense, allowing him to become a "trusted process" (for Avast self-defense). He also found internal functions of the main antivirus service that were unnecessarily powerful, or were missing certain checks. While by itself this might not have been a significant problem, Denis connected the issues together into an attack chain and was able to achieve local privilege escalation. By doing so, a local attacker with a restricted user account could run code as SYSTEM, or even as a protected antimalware process. The attacker's code could become a trusted process because of the first issue, then abuse the previously mentioned internal functions to cross a security boundary to become a privileged process, and by abusing another bug, start a new antimalware protected process (AM-PPL). We have no indications that this combination of vulnerabilities has ever been abused in any form before we fixed them.
Denis also found a few weak spots in the Avast Antivirus “sandbox process" which is used to protect machines in case someone happens to find an exploitable bug in the Avast scanner (the scanner runs inside the sandbox preventing an attacker from causing any harm in case this should happen). However, the process had an insecure permission which could be abused by malware to control the outcome of scans, and additionally, Denis also found a way to exit the sandbox and acquire SYSTEM privileges.
The reported issues were fixed in Avast 20.4, on June 3rd, 2020 (some of them were previously fixed in Avast 20.3, on May 4th, 2020). Further hardening of the scanning service was released in Avast 20.8, on September 8th, 2020.