Updated “Don't create undocumented features” should be tattooed in the corner of every developer's eye: there's one in the Microsoft Application Verifier Provider that provides attack vectors on everything Windows since XP.
Cybellum, which discovered the feature, has focussed on attacking anti-virus first, but says its DoubleAgent attack could also be used to inject persistent malware on a target, hijack permissions, modify process behaviours, and attack other users' sessions.
What the researchers found is a fault in how the Microsoft Application Verifier Provider handles .DLLs.
As Microsoft explains, “Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities”.
As part of the process, .DLLs are bound to the target processes in a Windows Registry entry – but, as Cybellum explains in its technical post, you can replace the real .DLL with a malicious .DLL. Here's how the firm says this can work:
“Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier. An attacker can use this ability in order to inject a custom verifier into any application. Once the custom verifier has been injected, the attacker now has full control over the application.”
With the victim process associated with DoubleAgentDll.Dll, “it would permanently be injected by the Windows Loader into the process every time the process starts, even after reboots/updates/reinstalls/patches/etc.”
In their work attacking Application Verifier under antivirus products, the researchers found they were able to get the A/V to act as disk-encrypting ransomware.
The company lists A/V vendors that failed under attack as Avast (CVE-2017-5567), AVG (CVE-2017-5566), Avira (CVE-2017-6417), Bitdefender (CVE-2017-6186), Trend Micro (CVE-2017-5565), Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Norton.
Malwarebytes, AVG, and Trend Micro have released fixes.
Cybellum notes that the simplest fix for antivirus using Application Verifier is to move to a newer architecture called Protected Processes.
The proof-of-concept is at GitHub. ®
Update: Comodo has responded saying it's aware of the issue, and the Cybellum post is mistaken in listing Comodo's Internet Security as vulnerabile.
“Most of the disagreement comes from not understanding how CIS layered defense works and assuming CIS is like the classical antivirus products mentioned in the original article. Never mind protecting itself against such attacks, CIS protects EVERY other application against such attacks too”, Egemen Tas, Comodo's SVP of Worldwide Engineering told us in an e-mail.
His arguments are detailed in this forum post. ®