ASA-2019-00593 – Avast Antivirus and AVG Antivirus: DLL Preloading


Allele Security Alert

ASA-2019-00593

Identifier(s)

ASA-2019-00593, CVE-2019-17093

Title

DLL Preloading

Vendor(s)

Avast Software

AVG Technologies

Product(s)

Avast Antivirus

AVG Antivirus

Affected version(s)

Avast Antivirus versions before 19.8

AVG Antivirus versions before 19.8

Fixed version(s)

Avast Antivirus version 19.8

AVG Antivirus version 19.8

Proof of concept

Unknown

Description

A DLL Preloading vulnerability allows an attacker to implant %WINDIR%\system32\wbemcomn.dll, which is loaded into a protected-light process (PPL) and might bypass some of the self-defense mechanisms.

The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of AVG / Avast signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass.

Technical details

Unknown

Credits

SafeBreach

Reference(s)

Avast Antivirus / AVG Antivirus – DLL Preloading into PPL and Potential Abuses
https://safebreach.com/Post/Avast-Antivirus-AVG-Antivirus-DLL-Preloading-into-PPL-and-Potential-Abuses

CVE-2019-17093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17093

CVE-2019-17093
https://nvd.nist.gov/vuln/detail/CVE-2019-17093

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.