Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-28965: Vulnerability-Disclosure/CVE-2022-AVAST2 at main · netero1010/Vulnerability-Disclosure

Multiple DLL hijacking vulnerabilities via the components instup.exe and wsc_proxy.exe in Avast Premium Security before v21.11.2500 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted DLL file.

CVE
Open in Source
#vulnerability#windows#dos#php

CVE-2022-AVAST2 (Self-Defense Bypass via Repairing Function)****Product

Avast - Premium Security

Version

21.11.2500 (build 21.11.6809.528)

Vulnerable Component

“instup.exe” and “wsc_proxy.exe”

Description

It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.

However, It was noted that there are two Avast processes “instup.exe” and “wsc_proxy.exe” which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL (i.e., wbemcomn.dll) from “C:\Windows\System32\wbem” when “REPAIR APP” function is triggered. Due to the lack of security checking within these two processes, attackers who have administrative privilege could drop a malicious version of “wbemcomn.dll” and get it loaded by the affected Avast processes.

Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.

Impact

The vulnerability allows an attacker with administrative privilege to execute malicious code within Avast process, terminate the Avast antivirus regardless of “Self-Defense” protection and cause DOS to the affected system.

Steps to reproduce

  1. Install Avast Premium Security (version 21.11.2500)
  2. Open a Administrative CMD prompt and copy the malicious version of “wbemcomm.dll” to “C:\Windows\System32\wbem”
  3. Open Avast Premium Security GUI -> Menu -> Settings -> Troubleshooting -> Click on “REPAIR APP”
  4. Wait for a while and the malicious “wbemcomm.dll” will be loaded by “instup.exe” and “wsc_proxy.exe” (see poc.png)

Resolution

This vulnerability is patched since Avast Premium Security 22.2.

Disclosure Timeline

20-01-2022 Vulnerability reported to Avast.

11-02-2022 Avast confirmed the vulnerability and released a patch for the product.

References

https://forum.avast.com/index.php?topic=318305.0

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE