SEC Consult Vulnerability Lab Security Advisory < 20140508-0 > ======================================================================= title: Multiple critical vulnerabilities product: AVG Remote Administration vulnerable version: all - except issue #2 fixed version: none - except issue #2 impact: critical homepage: http://www.avg.com found: 2013-12-07 by: Stefan Viehb�ck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "AVG Remote Administration" allows the network administrator to remotely install, update, and configure AVG across the computer network." Source: http://www.avg.com/eu-en/product-avg-admin http://www.avg.com/us-en/faq.num-5307 Technology description: -------------------- AVG Remote Administration consists of several components: - AVG Admin Server (central server, listens on TCP port 4158) - AVG Admin Console (fat client for administration) - AVG AntiVirus, Internet Security etc. (managed endpoints) The Admin Console and the AVG products on endpoints connect to TCP port 4158 on the Admin Server using the same protocol. Business recommendation: ------------------------ Attackers are able to completely compromise the AVG Admin Server system as they can gain full access at the application and system level. Attackers can manage endpoints and possibly deploy attacker-controlled code on endpoints. Furthermore endpoints can be tricked into communicating with rogue AVG Administration Servers. All vulnerabilities are based on severe design flaws in the application as well as the proprietary protocol. It is highly recommended by SEC Consult not to use this software until a thorough security review has been performed by security professionals and all identified issues have been resolved. It is assumed that even more critical vulnerabilities exist. Vulnerability overview/description: ----------------------------------- 1) Authentication bypass / Missing authentication The authentication checks for access via the AVG Admin Console (=fat client) are done on the client side. The AVG Admin Server sends a list of valid usernames/password hashes to AVG Admin Console. As the Admin Console is controlled by the client, authentication can easily be bypassed. Attackers can connect to the AVG Admin Server and manage clients just like a legitimate administrator with full privileges using a modified version (checks removed using binary patch) of AVG Admin Console. 2) Remote code execution Attackers are able to set arbitrary configuration settings for the AVG Administration Server. Due to insufficient input validation an attacker can set the value of a parameter to a UNC path. This path is passed to the Windows API LoadLibrary() function. This enables an attacker to provide arbitrary .dlls via network shares which are then executed. This provides an attacker full access on the operating system as the AVG Admin Server runs as SYSTEM. As the protocol is tunneled via HTTP, this attack is possible via CSRF as well. 3) Missing entity authentication The used protocol does not provide any functionality to verify the identity of communication partners. This allows attackers to pose as an AVG endpoint, or act as a rogue AVG Admin Server for an endpoint. Attackers can manage clients just like a legitimate administrator. 4) Use of static encryption keys and insecure modes of operation The protocol level encryption is based on the (symmetric) block cipher Blowfish. Hardcoded encryption keys are used by the client as well as the server for message encryption. This allows an attacker to decrypt and modify the messages. The Blowfish cipher is used in the electronic codebook (ECB) which enables some other attacks. However these attacks are not really relevant at this point as the encryption keys are known anyway. Proof of concept: ----------------- 1) Authentication bypass This vulnerability was verified using a binary patch for AVG Admin Console. Only 3 bytes were changed in the Admin Console binary. Note: This vulnerability might allow direct attacks against clients hence a proof of concept exploit has been removed. A video demonstrating this issue has been released by SEC Consult: https://www.youtube.com/watch?v=exiLSy1oo3I 2) Remote code execution The parameter ClientLibraryName can be set via the StoreServerConfig command (command id 0x27). The provided value can be a path to a network share containing a malicious .dll file. This .dll file will be executed in the context of the AVG Admin Server service which runs as SYSTEM. 3) Missing entity authentication Attackers can pose as a legitimate AVG Administration Server by responding to NBNS queries for the AVG Admin Server hostname or using various other techniques (eg. MITM attacks). Note: This vulnerability might allow direct attacks against clients hence a proof of concept exploit has been removed. A video demonstrating this issue has been released by SEC Consult: https://www.youtube.com/watch?v=XYvtwc10dLc 4) Use of static encryption keys and insecure modes of operation The protocol messages can be encrypted and decrypted using the following python code: from Crypto.Cipher import Blowfish key='\xA1\x45\xF0\x09\xEA\x7E\x4B\x98\x46\x7A\xEA\xD0\xF4\x6C\xAB\x87\x00\x00\x00\x00\x00\x00\x00\x00' cipher = Blowfish.new(key) def swapendian(s): res=[] dwords = [s[i:i+4] for i in range(0, len(s), 4)] res = [dword[::-1] for dword in dwords] return ''.join(res) def avg_encrypt(plaintext): if len(plaintext)%8!=0: plaintext+='\x00'*(8-len(plaintext)%8) return swapendian(cipher.encrypt(swapendian(plaintext))) def avg_decrypt(ciphertext): if len(ciphertext)%8!=0: return 'DECRYPTION ERROR' return swapendian(cipher.decrypt(swapendian(ciphertext))) Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in AVG Admin Server version 13.0.0.2892, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-01-15: Contacting AVG via online support form and requesting security contact. 2014-01-15: Support forwards us to "J�rgen Jakob Software-Entwicklung, AVG Authorized Distributor" (sales representative!) 2014-01-21: AVG support requests technical information. 2014-01-22: Requesting contact to discuss security issues. 2014-01-29: Requesting contact to discuss security issues (2nd try). 2014-02-10: Requesting contact to discuss security issues (3rd try). 2014-02-12: AVG support explains lack of response because they were "experiencing a higher than usual volume of e-mail messages from customers" and requests technical information. 2014-02-24: Requesting encryption keys (S/MIME or PGP). 2014-03-05: Requesting encryption keys (2nd try). Announcing that advisory will be sent via plaintext if no keys are provided. 2014-03-11: (No response) Sending security advisory and responsible disclosure policy as plaintext. Setting deadline to 2014-04-30. 2014-03-11: Opening a new ticket - referring to previous ticket, advisory and proof of concept exploits. 2014-03-31: (No response) Contacting AVG CTO via LinkedIn, referring to previous tickets and requesting encryption key. 2014-03-31: CTO responds, provides encryption key. 2014-03-31: Sending advisory and responsible disclosure via encrypted channel. 2014-04-04: CTO responds with AVG risk assessment: #1 low risk "This is by design" #2 high risk #3 medium risk "This attack is difficult to set up" #4 low risk "The cipher is used here just for the obfuscation of the traffic, it was not meant to protect any private data" CTO further mentions that Remote Administration is "no longer available for sale for new customers" - this was never substantiated! Even the FAQ on the website says differently: http://www.avg.com/us-en/faq.num-5125 2014-04-25: Shifting release deadline to 2014-05-08. 2014-04-28: CTO responds, announcing that patch for remote code execution (issue #2) will be released on 2014-04-29. 2014-05-06: Requesting confirmation that only remote code execution will be fixed. 2014-05-06: CTO confirms that only remote code execution is fixed. 2014-05-08: SEC Consult releases security advisory & proof of concept videos. Solution: --------- AVG has _only_ patched the remote code execution vulnerability (issue #2). The patched version (2013.0.2895) is available via: http://download.avg.com/filedir/inst/avg_rad_x86_all_2013_2895.exe http://download.avg.com/filedir/inst/avg_rad_x64_all_2013_2895.exe There is no solution/patch for the remaining, critical vulnerabilities! Workaround: ----------- The workaround is to disable AVG Remote Administration entirely. This requires the shutdown of the AVG Admin Server and the deactivation of the Remote Administration feature in all clients. Of course all the central management/reporting/update functionality provided by AVG Remote Administration is now not available any more. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehb�ck / @2014