Researchers from Israeli zero-day security firm Cybellum have discovered a 15-year-old code injection vulnerability and exploit technique that could allow attackers to maliciously take over antivirus programs and other software by abusing Microsoft's Windows Application Verifier debugging tool.
The zero-day exploit, dubbed DoubleAgent, only works if the attacked computer has already been previously compromised. Still, the technique can seriously escalate the severity of a previous breach, Cybellum claims, allowing an adversary to further elevate privileges and perform virtually any attack imaginable. Moreover, DoubleAgent continues injecting code even after reboot, allowing actors to establish silent persistence on a machine.
The vulnerability exists in all versions of Microsoft's operating system from Windows XP through the latest release of Windows 10. While AV products are not the only software impacted by DoubleAgent, they are among the most dangerous programs to be potentially exploited because these trusted applications are allowed to freely perform highly sensitive actions, allowing attackers to bypass an infected organization's security measures, Cybellum explained in a blog post and corresponding technical write-up.
Cybellum warned that this technique could be used, ironically, to convert AV software into malware that attacks the very users they were tasked to defend. Alternatively, DoubleAgent actors could alter an AV's behavior to render it ineffective, or they could use the AV to exfiltrate data, destroy or encrypt files (perhaps as a ransomware attack), or even flag legitimate processes as security threats in order to induce a denial-of-service scenario.
'What we can do using DoubleAgent is turn a simple malware that would normally turn and hide from an AV in order to protect itself into an advanced persistent threat," said Michael Engstler, Cybellum co-founder and CTO, in an interview with SC Media. There is no evidence at this time, however, that the exploit has ever been used in the wild.
Cybellum disclosed the vulnerability to Microsoft in November 2016 and began informing affected AV vendors shortly thereafter. The company listed the following vendors as susceptible to the vulnerability: Avast (including its Avast and AVG products), Avira, Bitdefender, Comodo, ESET, F-Secure, Kaspersky Lab, Malwarebytes, McAfee, Panda Security, Quick Heal Technologies, Symantec (Norton) and Trend Micro.
The tool at the center of this report, Microsoft Application Verifier, is a runtime verification tool that software developers use to detect and fix bugs in their applications. "Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier," Cybellum explains in its report. "An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application."
It might seem like the most efficient way to fix the issue would be for Microsoft to revise the tool or modify its functionality, possibly by eliminating the ability to create custom verifiers. But "they don't see this as a vulnerability within their software," said Engstler of Microsoft.
Furthermore, Engstler said that any such action by Microsoft would likely impede well-intentioned developers who are using the runtime verifier for legitimate purposes. On the other hand, Engstler acknowledged that the verifier is "barely used" compared to other Windows features, which arguably means that the tool's risk may outweigh its value proposition for the majority of users.
Ultimately, said Engstler, the onus is on antivirus developers to resolve the issue, perhaps by introducing a mechanism that monitors or places restrictions on how the Microsoft tool is used in conjunction with their software.
Microsoft issued the following statement through a company spokespesron: "The technique described in the report requires an already-compromised machine and only affects third-party applications that don't use Protected Processes." Protected Processes is a Microsoft security model and code integrity service first offered with Windows 8.1 that enables AV vendors launch their to anti-malware user-mode services as a protected service by allowing only trusted, signed code to load. It also includes built-in defense against code injection attacks and other admin-level attacks. Cybellum noted in its post that no AV software, other than Microsoft's very own product, uses this service.
SC Media reached out to all of the listed AV vendors for comment, and has posted the responses it received below. We will continue to update the story as needed. Some vendors have already issued software updates, while others plan to and still others say no action is necessary. In some cases, vendors disputed certain aspects of Cybellum's findings, either claiming that they were not affected by DoubleAgent, or insisting that the exploit is not as serious as the report implies because it requires a previous compromise and because the attacker must either gain local access to the machine or socially engineer the user into elevating privileges. In one case, a vendor even claimed that the exploit in question was not actually a zero-day because another researcher had previously detailed the technique in 2015.
Avast, statement attributed to Ondrej Vlcek, CTO and GM of consumer business: “We were alerted by Cybellum last year through our bug bounty program to a potential self-defense bypass exploit. We implemented the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products, launched earlier this year, are not vulnerable. It is important to note that the exploit requires administrator privileges to conduct the attack and once that's the case, there are numerous other ways to cause damage or modify the underlying operating system itself. Therefore, we rate the severity of this issue as "low" and Cybellum's emphasis on the risk of this exploit to be overstated.
Avira: "The DoubleAgent zero-day exploit shows how Microsoft's Application Verifier can be manipulated and theoretically used to inject malware into a compromised system. Application Verifier is used by app developers to identify and fix bugs in their software. Research by Avira has confirmed that the core Avira Antivirus Pro processes, those responsible for all detection and protection tasks, cannot be impacted by the DoubleAgent PoC. These processes are protected by a self-protection feature within the app which is not accessible via this PoC. There is limited ability to manipulate some lower-level processes which do not have high privileges or rights. Our development team has already reviewed this potential attack vector and is working on a patch to solve this issue. The patch will be released in the next major product update."
Bitdefender: "All the Bitdefender products affected by the design flaw in Microsoft's Application Verifier tool will be updated next week. We would like to highlight that this is not a vulnerability in Bitdefender's solutions."
Comodo, statement attributed to Egemen Tas, SVP, worldwide engineering: "No we are not vulnerable to this AppVerifier injection. Michael [Engstler, from Cybellum] contacted us on this issue at our security response email, and we had a long discussion on the topic. The claim was: Malware can use this registry key to inject arbitrary code into COMODO processes and hence disable the protection. DLL injection through AppVerifier registry keys has been around since Windows XP i.e. the last 10 years, and CIS [Comodo Internet Security], by default, protects these keys against malicious modifications already. Check the attachment CIS_protected.png. In order for the attack to be successful, malware has to write to this registry key, and CIS already protects against this by default. There are actually hundreds of similar ways of injecting into other processes, and I am not sure other AVs are even aware of them. Most of the disagreement comes from not understanding how CIS layered defense works and assuming CIS is like the classical antivirus products mentioned in the original article."
"Nevermind protecting itself against such attacks, CIS protects every other application against such attacks too. For this attack to be successful, the malware author should be able to bypass CIS protection. CIS, by default, allows only whitelisted applications to modify such critical keys. Non-whitelisted applications will be either blocked or sandboxed, rendering the attack ineffective. To his credit, however, during our discussions with Michael [from Cybellum], another attack vector was disclosed to us. This can cause problems with default configuration so we will be addressing it with an update in April. We will be giving more details on it with the release."
ESET: "ESET can confirm that we have been informed about the findings in “Taking Full Control Over Your Antivirus" and the technical analysis “DoubleAgent: Zero-Day Code Injection and Persistence Technique” by Cybellum. Both reports describe in detail a technique, dubbed DoubleAgent, for injecting code and maintaining persistence on a machine (i.e., auto-run) by misusing Microsoft's Application Verifier. ESET technology teams have done a full analysis of the vulnerability and did identify ESET products for Windows where this technique could potentially be applied. ESET has completed the fix for this vulnerability, and details can be found in our Customer Advisory. It should be stressed that the severity of this vulnerability was considered to be very low since attackers need to have all necessary admin rights on the victim's machine. Protecting customers is always our top priority and we greatly value the commitment to responsible disclosure and the collaborative nature of the IT security industry."
F-Secure: “Cybellum's publication describes a way of creating a launch point using standard mechanisms present in all modern Windows operating systems. The described methodology requires admin privileges and will work on any process in the system. Cybellum have presented their findings as a way to establish persistence or hide activities such as data exfiltration in processes trusted by standard endpoint protection mechanisms. The described method, while an interesting academic exercise, was initially presented by Alex Ionescu at several conferences during 2015. It is thus not a zero-day attack."
"Scenarios where an attacker has already compromised a machine and elevated themselves to admin are well-known in the cyber security industry. To attain this level of compromise, standard endpoint protection mechanisms will have already been bypassed multiple times. Those familiar with the art understand that standard endpoint protection mechanisms are not designed to combat such attacks. This is why we and many other cyber security companies emphasize the importance of endpoint detection and response (EDR) security solutions as a complement to preventative security products. Our own EDR offering is more than capable of detecting such attacks, including the one demonstrated by Cybellum.
Typically, endpoint protection mechanisms do not place limits on what administrators can or cannot do, as that would make the products impractical for everyday use. That is why EDR solutions are designed to flag potentially malicious actions regardless of whether the user appears to have the necessary authorization. As an ongoing process, we're constantly adding features to our products in order to detect and prevent mechanisms such as the one detailed in this report.”
Kaspersky Lab: "Kaspersky Lab would like to thank Cybellum Technologies LTD for discovering and reporting the vulnerability which made a DLL Hijacking attack possible via an undocumented feature of Microsoft Application Verifier. The detection and blocking of this malicious scenario has been added to all Kaspersky Lab products from March 22, 2017," said the statement. "For reference, this vulnerability allows the attacker to inject code into most OS processes, not just security solutions. Also, this attack can only be performed through a local vector when the attacker has already penetrated the device. The attacker has to infect the attacked computer with malicious software in advance, and escalate its privilege on the device in order to register a new Application Verifier Provider DLL – both actions require an attacker to use a range of other tools. In order to stay protected, Kaspersky Lab recommends that all customers keep their security solutions up to date and do not disable behavior-based detection features.”
McAfee: "McAfee addressed the verifier issue at the heart of the proposed exploit in a March 17th product update.”
Symantec: "After investigating this issue, we confirmed that this PoC does not exploit a product vulnerability within Norton Security. Rather, the attack leverages a weakness in the operating system that works when an attacker can run the code as an administrator on the target system. In addition to gaining physical access to the machine or accessing the machine remotely using social engineering methods (e.g., phishing), the attacker would also need to successfully secure an elevation of privilege on the machine through user consent or an existing exploit on the operating system. Norton Security is hardened with additional detections and protections to stop this type of attack. We automatically deploy feature and protection updates to our customers, and we encourage them to enable Auto-Protect and run a LiveUpdate to ensure they have the latest protections."
Trend Micro, statement attributed to Jon Clay, director of global threat communications: "Trend Micro is actively analyzing products and issuing updates as needed. The issue requires an attacker to be able to write to the Windows registry, which is something normally restricted to those with administrator access. In other words, to use this to take control of a system, you would already need to be in charge of a system."
"Our consumer endpoint customers should apply the patch (published here) for specific Trend Micro Security products, such as Premium, Internet, Maximum, Antivirus+ versions 11.1.1005 and below. We are currently analyzing our commercial endpoint products and will issue patches if we find a reason to do so."
Malwarebytes confirmed that it does not have an official statement at this point.