AV — When a Friend Becomes an Enemy — (CVE-2024–23940)
Researchers
- Renato Garreton — @dplastico
- Miguel Méndez — @s1kr10s
Introduction
For a long time, I wanted to work with my friend Renato and do some research together; we recently had the opportunity, so when we got around and planned what to do, we shared our experience analyzing malware.
From this experience working with malware, we both agree that one of the most common methods malware uses to avoid being detected is to execute code using legit applications. Signed binaries with elevated privileges are the best target for threat actors since this can not only help them to evade being detected but also, sometimes, elevate privileges or even kill AV solutions (as this famous rensomware Genshin Impact.) to execute their attack.
While working with a malware sample (We’ll reveal details soon in another post since is going under Law investigation at this point), we observed that the malware used a simple technique to escalate privileges and evade detection by abusing a vulnerability in the anti-virus solution installed on the machine. We decided to replicate the attack and test it in the wild. We aimed to thoroughly analyze the impact of using legitimate software and, even more significantly, when such software comes from security companies or, in other words, Anti Virus vendors.
Although the information we will present in the following sections may seem familiar, the significant impact lies in using legitimate software and the clever implementation of what is called a “friend protector.” (AV solutions).
Examining Antivirus in the Market
Our strategy focused on analyzing the antivirus programs available at that time, considering that several of them require a purchase for use without offering a trial period. It is important to note that the vulnerability we explored is not exclusive to paid antivirus programs.
Below are some of the free anti-virus programs we managed to obtain and we were able to analyze. We found vulnerabilities in all of them. Here’s the status of the Reports As of today:
- BitDefender — Reported
- Avira — Reported
- TotalAV — Reported
- Forticlient (Fortinet) Reported (rejected)
- ZoneAlarm (Check Point) — Patch under development, CVE Requested.
- TrendMicro — CVE-2024–23940 — Patched in version 6.0.0.2103 (We were able to verified the patch)
Why Proxy DLL and not DLL Hijack?
Often, DLL Hijacking is resorted to in these situations, but as the name Proxy DLL suggests, it is considerably more effective to incorporate functionalities into a DLL without the need to modify its source code.
Antivirus Analysis
In order to avoid redundancies, we will focus on providing a detailed analysis specifically for BitDefender. However, it’s important to note that the methodology used can be applied similarly to other antivirus programs. Although, in some cases, it may require specific adjustments at the DLL development level, in essence, the approach will be very similar.
We initiate the first analysis using the Pestudio tool, which provides crucial information about the updcenter.exe binary. This includes detections through VirusTotal, with a current result of 0/71. Additionally, we have identified the exported functions of the binary and reviewed the description that confirms it belongs to the legitimate owner.
The following image shows the functions exported by the binary, although these only represent the ones currently being called by the binary. To obtain the complete list of functions, we used DLL Export Viewer.
The procedure is extremely simple; it is only necessary to load the DLL, and the tool will comprehensively present all the functions available in the DLL. These functions will be essential for importing into the code of the DLL in our analysis.
Each extracted function must adhere to a specific format to facilitate its linking from the DLL code.
Structure of a function exported by DLL Export Viewer:
bool __cdecl TinyXPath::o_xpath_attribute(class TiXmlNode const * __ptr64,wchar_t const * __ptr64,class TiXmlAttribute const * __ptr64 & __ptr64)Formatted function structure for DLL code (Visual Studio Code):
#pragma comment(linker,”/export:bool __cdecl TinyXPath::o_xpath_attribute(class TiXmlNode const * __ptr64,wchar_t const * __ptr64,class TiXmlAttribute const * __ptr64 & __ptr64)=txmlutil_orig.bool __cdecl TinyXPath::o_xpath_attribute(class TiXmlNode const * __ptr64,wchar_t const * __ptr64,class TiXmlAttribute const * __ptr64 & __ptr64),@536")Assuming we have completed the previous step, formatting all the functions to integrate them into the code, now all that remains is to compile the DLL. Before doing so, let’s follow the following steps in Visual Studio Code:
- Open Visual Studio and create a new project:
- Select “File” -> “New” -> “Project…”
- Choose “Visual C++” -> “Dynamic Link Library (DLL)”
2. Assign a name to the project, for example, the original name of the DLL.
3. Add your code to the DLL Wrapper file (dll_example.cpp) and copy it to the dllmain.cpp of the project.
4. In the project, go to “Properties” -> “General” -> “Configuration Type” and select “Dynamic Library (.dll)”.
5. In “C/C++” -> “Code Generation” -> “Runtime Library”, select “Multithread (/MT)”.
6. In “C/C++” -> “Precompiled Headers”, set “Set Precompiled Header” to “Not Using Precompiled Headers”.
7. Ensure that the architecture matches the target executable in “Active configuration”.
Once these steps are completed, we proceed to compile and obtain the following file structure for execution.
- Point (1): The binary is executed and loads the proxy (txmlutil.dll) to make function calls.
- Point (2): The proxy DLL intercepts calls to functions of the original DLL and can perform additional actions before or after passing the call to the original DLL.
- Point (3): The proxy DLL contains the function that executes the payload.bat file.
Proof of Concept
The video below showcases the outcome of the vulnerability, using the susceptible binary to simulate a malware infection.
Conclusion and Impact
Conclusion
In conclusion, the discovery of vulnerabilities in legitimate antivirus binaries through exhaustive research reveals a significant impact for both users and businesses.
Impact
This attack approach, despite its apparent simplicity, is significant in undermining trust in antivirus systems. The use of compromised binaries not only exposes the integrity of individual systems but also poses a considerable threat to corporate cybersecurity. Trusted users face unexpected risks, while companies must strengthen the security of their products to maintain user trust and ensure effective defense against increasingly sophisticated threats.
We want to mention and highlight the fast response and ability to patch quickly of some vendors (Check Point, TrendMicro, for example). The commitment to make security products safe is a task for all of us. it is worth highlighting and thanking TrendMicro, which assigned us CVE-2024–23940.
TrendMicro Timeline
- 2023–11–15 Vulnerability identified
- 2023–11–16 Customer approved disclosure to vendor
- 2023–12–01 Vendor notified
- 2023–12–12 Vendor provides fixed AirSupport v6.0.2103
- 2024–01–24 CVE-2024–23940 assigned
- 2024–01–25 Advisory published
References
- https://helpcenter.trendmicro.com/en-us/article/tmka-12134
- https://helpcenter.trendmicro.com/ja-jp/article/tmka-12132
Thanks!
