Security Tools are supposed to prevent attacks. Can the same tool be a door for hackers? Can your shield become the attacker’s arrow?

1. tech insight
(In)Security in Security Products Part-1
W
Security Tools are ith rising cases of security in-
cidents, more people are using
in a major worm outbreak. The worm known as
“witty worm” leveraged the ISS firewalls and re-
supposed to prevent security software like antivirus, portedly infected thousands of PCs worldwide.
attacks. Can the same firewalls, anti-spyware etc. According to the latest Symantec Global In-
tool be a door for They are meant to protect
users from common security attacks and vulner-
ternet Security Threat Report, 205 vulnerabilities
in security products were discovered in the year
hackers? Can your abilities. However, ironically, the rising popularity 2007. During the period of July to December
shield become the of such software is luring the attackers to target 2007, a total of 92 vulnerabilities were discovered
attacker’s arrow? the security software itself as a means to break
into a system. Imagine this situation: you are
of which 16% were high severity threats, 30%
were medium and 32% were low. Interestingly,
This three part running a secure system with antivirus and other majority of the vulnerabilities actually affected
series discusses how necessary software running on it. You assume that the anti-virus products.
security products you are safe from the latest threats. But what if
the antivirus itself is vulnerable? It means that Why vulnerability research getting more
itself could turn out when a hacker exploits the vulnerability in your focused on security products?
to be a threat and security software, he has complete access to your It is interesting to see that the vulnerability
measures to be safe. system!
In early 2004, one of the vulnerabilities in the
researchers and hackers are shifting their focus
gradually towards the security vendors. There are
product of Internet Security Systems (ISS) resulted several reasons behind such shift:
22 m a r c h 2 0 0 9 | i n f o s e c u r i t y | a fa n at i c m e d i a p u b l i c at i o n

2. tech insight
Operating Systems are gradually getting 2005 there were 50 advisories regarding The testing methodology involved
more secure: The Operating Systems like vulnerabilities affecting antivirus products, fuzzing various binary executable header
Windows, which had been the favorite tar- but between 2005 and 2007, there’s been fields with the intension of hitting possible
get among hackers and security researchers, an increase of 240% with 170 advisories. bugs (particularly integer overflow/
have improved their security significantly Moreover, according to a research paper by underflows, buffer overruns, NULL pointer
compared to before. This makes it difficult Feng Xue, presented at this year’s Blackhat dereference etc.) in the AV executable
to find flaws in the Operating Systems and Europe, according to the U.S national processing code. The various testing script
hence the ROI of security research in this vulnerability database, 165 vulnerabilities generated huge number of packed/non-
area is diminishing. within antivirus products have been packed ELF/PE binaries with corrupted or
Security products are easy targets: reported during the last 4 years.” malformed executable headers, particularly
Security products are yet to face the massive the Program Header and the Section Headers
public and press scrutiny like what Micro- Case Study on how iViZ broke of the sample ELF binary feed as input to
soft faced at one point of time. Firewalls and multiple Antivirus our scripts.
Antivirus are commonly present in most We are presenting a case study of In order to process an ELF binary
systems today which make it interesting vulnerability research conducted by iViZ successfully, various memory allocations
for the hackers. Often it is easier to break a which provides the software-as-a-service need to be done for different sections of
security system which is less audited than based “On Demand Penetration Testing” the binary. The amount of memory required
to break operating systems like Windows solution for applications, networks and for storing different sections is given in the
which has been facing attacks for years and compliance. While conducting vulnerability Program Header and Section headers and
hence heavily audited. research to improve upon different existing hence are user control data fields which can
Security vendors conducting research security techniques the iViZ security be manipulated before the binary executable
on competing products: Interestingly, Global research team discovered that in certain is fed into a given Anti virus or any other
Internet Security Threat Report Vol XIII by scenarios, some antivirus software behaved program that processes such binary
Symantec points out that it is not uncommon in a way which is not normal. The research executables. If the program processing
for security vendors to conduct research on results were first provided to the vendors such malformed executable does not verify
competing products. This competition will as per the “Responsible Vulnerability inputs from user correctly and securely
potentially benefit users in the long run and Disclosure”. The vendors were provided before processing, there might be various
also enhance the security of the security adequate time to release the patches before vulnerabilities like buffer overflow (small
products themselves. the public disclosure. allocation, big copy), integer overflows
Evolution of Responsible Vulnerability The research finally resulted in the (sign/unsigned comparison or cast) etc.
Disclosure: The industry promotes respon- discovery of six new vulnerabilities in the During the research conducted by iViZ,
sible vulnerability disclosure by which a antivirus products of AVG, Sohpos, F-Prot, multiple such issues resulting in memory
security researcher can disclose the vulner- avast!, BitDefender and ClamAV. corruption, NULL pointer dereference etc.
abilities to the vendor and help them to were found.
fix it before going public. This process has How was the research conducted? Test Execution: Fuzzing
helped in the evolution of an ethical and Test Preparation Fuzzing is a software testing technique
responsible way to conduct vulnerability The Antivirus Security Testing was used to find out when a program crashes
research and thus encouraged more number conducted over a Linux based Operating by providing random or heuristic based
of independent researchers and security System. The test subjects were all Antivirus inputs to it. The fuzzing methodology used
companies to contribute in vulnerability Software compiled natively to run over a by iViZ research team was based on collec-
discovery. Linux 2.6 kernel. tion of good amount of both packed and
Almost all the popular and modern non-packed sample executables and shared
Vulnerabilities in Antivirus Products Antivirus Software unpacks the packed library files which were fed into “Format
Antivirus products have always been executables first before attempting to match Aware” tools and scripts for alteration of
a favorite target of hackers and security possible malicious signature against the critical information from the Header of the
researchers. There are several sources given binary executable. There are many input sample executable.
where one can find the details of such public packers available like UPX, FSG, Broadly, the fuzzing tool set consisted
vulnerabilities. Some of them include Armadillo, ASProtect etc. for which both of the following:
OSVDB, ICAT, Secunia etc. Dancho Danchev, the packing and unpacking algorithms • File Format Identifier
an independent security consultant and are known but implementation of such • File Format Parser Library
cyber threats analyst, points out in his unpacker is non-trivial and error prone if it • Fuzzing Libraries
ZDNet post that “between 2002 and is not handled correctly and securely. o Bit Alteration
a fa n at i c m e d i a p u b l i c at i o n | i n f o s e c u r i t y | m a r c h 2 0 0 9 23

3. tech insight
o Byte Alteration analysis can be summarized as follows: Multiple vulnerabilities were found
o Byte Replacement with [0x00, 0x01, • Crash location using a debugger and in antivirus products that employs the
0x80, 0xff, 0xfe] etc. backtrace recording. mentioned techniques. Some of the classes
• Test Execution Tool • Symbol Table reconstruction of the of vulnerabilities found are:
binary using iViZ’s internally developed • Integer Overflows
The Fuzz Testing methodology can be tools in case the tested AV is closed • NULL Pointer Dereference
summarized as follows: source commercial one. • Heap Memory Corruption
• Collection of large sample executables • Reverse Engineering and Analysis of the • Double Free
in both PE and ELF format AV executable functions obtained from
• Packing of each executable using the crash backtrace. Results
multiple packers like ASProtect, UPX, • Proof of Concept code development The test resulted in the discovery of
Armadillo etc. which are available for demonstrating the possible security six vulnerabilities in AVG, Sophos, F-prot,
publicly. impact of the bug or vulnerability. BitDefender, avast! and ClamAV.
• Feeding each of the packed as well as
non-packed executable to File Fuzzing
tools which can identify the File For-
Vendor: AVG
mat and Packer for generating fuzzed Version: 7.5.51 (current), possibly others
executables from the input samples. Vulnerability Description: Multiple vulnerabilities were discovered in AVG Antivirus when
• Execution of each AV under testing analyzing specially crafted UPX packed files. Initial analysis shows that some of the vulnerabilities
with appropriate parameters to scan can theoretically be exploited to execute arbitrary code on the affected system with the privilege
the generated fuzzed binaries under of the user running the vulnerable antivirus process or at least cause a Denial of Service
closed monitoring tools for detection of Condition.
possible runtime exceptions. These vulnerabilities should be considered critical particularly in setup where the affected
Antivirus Product is used for scanning incoming e-mails on a Mail Server.
Analysis: Bug Hunting Impact: An attacker can remotely break into a victim’s system by sending him a mail with
The process of analyzing possible a malicious attachment. This vulnerability results in execution of malicious codes like Trojans,
crashes during the Fuzz Testing involves keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause
reproducing similar faults in the given a Denial of Service condition using this vulnerability.
application with the given input while
Vendor: F-Prot
being traced by a debugger. In most of the
cases the debugger can report the type of Version: F-Prot version 4.6.8 for GNU/Linux
the fault, i.e. whether it’s a NULL pointer Vulnerability Description: It is possible to protect an ELF binary against F-Prot by corrupting
dereference or whether it’s an access its ELF header, while letting the binary completely functional. F-prot will crash when analyzing the
violation by the program by trying to access file, letting the possible malware undetected. This might result in complete bypass of Antivirus
unmapped memory etc. But in order to Protection.
find out the actual cause of the problem Impact: Any malicious content/attachments will pass completely undetected. Believing
corresponding to the crafted input and the attachments are clean and safe, the victim is most likely to execute it leading to complete
hence truly ascertain the security impact of system compromise.
the bug, considerable amount of effort in
Vendor: Sophos
terms of debugging and reverse engineering
is required.
Version: Sophos SAVScan 4.33.0 for Linux, possibly others
Vulnerability Description: Multiple Vulnerabilities have been discovered in Sophos Antivirus
The process of reverse engineering and
Product in parsing of specially crafted packed files from multiple packers including Armadillo,
debugging is particularly harder in case of
ASProtect, ASProtectSKE etc. Initial analysis shows that some of the vulnerabilities can
closed source commercial AV applications
theoretically be exploited to execute arbitrary code on the affected system with the privilege of the
because of the unavailability of source code
user running the vulnerable antivirus process or at least cause a Denial of Service Condition.
or even the debugging symbols. However
These vulnerabilities should be considered critical particularly in setup where the affected
to address this problem iViZ internally
Antivirus Product is used for scanning incoming e-mails on a Mail Server.
developed a tool which can identify calls
Impact: An attacker can remotely break into a victim’s system by sending him a mail with
to libc functions even from a stripped
a malicious attachment. This vulnerability results in execution of malicious codes like Trojans,
executable and re-create the symbol table
keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause
in the executable.
a Denial of Service condition using this vulnerability.
The methodology followed for bug
24 m a r c h 2 0 0 9 | i n f o s e c u r i t y | a fa n at i c m e d i a p u b l i c at i o n

4. tech insight
antivirus, this may result either in antivirus
Vendor: ClamAV software crash or execution of arbitrary
Version: ClamAV 0.93.3 and prior code.
Vulnerability Description: ClamAV uses external unpackers for unpacking files packed with Step 3: Attacker crashes the Antivirus
a variety of compression and encoding algorithms. There is vulnerability in specially crafted and/or breaks into the system—Depending
LZH packed files in the unpacker used by ClamAV. This vulnerability can be exploited to execute on the nature of the vulnerability, the
arbitrary code on the vulnerable system or at least cause a Denial of Service condition by forcing antivirus may either get crashed or due
ClamAV to scan a malicious LZH packed file. to arbitrary code execution vulnerability
The vendor has removed support for external packers in the product from ClamAV 0.94 the hacker may get access to the remote
onwards. system. The privilege level would be
Impact: An attacker can remotely break into a victim’s system by sending him a mail with same as the privilege in which the antivirus
a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, is running on. In case the antivirus
keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause is crashed, the hacker may now send
a Denial of Service condition using this vulnerability. another email with a malicious attachment
to easily circumvent the crashed antivirus
Vendor: BitDefender and infect the system with its malicious
Version: v7 for Linux, possibly others payload.
Vulnerability Description: Multiple integer overflows were discovered in the GNU/Linux
version of BitDefender when analyzing specially crasted Portable Executable binaries packed How to stay safe?
with Neolite and ASProtect packers. Initial analysis shows that some of the vulnerabilities can For the security product vendors, it
theoretically be exploited to execute arbitrary code on the affected system with the privilege of the is very critical to adopt secure design
user running the vulnerable antivirus process or at least cause a Denial of Service Condition. and coding principles, conduct regular
These vulnerabilities should be considered critical particularly in setup where the affected penetration testing, conduct code review
Antivirus Product is used for scanning incoming e-mails on a Mail Server. and also educate the customers regarding
Impact: An attacker can remotely break into a victim’s system by sending him a mail with patching the security tools. It is critical
a malicious attachment. This vulnerability results in execution of malicious codes like Trojans, to create security assurance programs
keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause and customer education program. They
a Denial of Service condition using this vulnerability. need to make their customers understand
that security products is yet another
Vendor: avast! software/hardware and no software/
hardware can be free of bugs/vulnerabilities
Version: avast! for Workstations v1.0.8
and it is important for them to know how
Vulnerability Description: Multiple buffer overflow vulnerabilities were discovered in the
to deal with it.
GNU/Linux version of avast! when analyzing specially crafted ISO and RPM files. Initial analysis
For enterprises and common users it is
shows that some of the vulnerabilities can theoretically be exploited to execute arbitrary code on
very critical to understand that security tools
the affected system with the privilege of the user running the vulnerable antivirus process or at
can also have vulnerabilities and hence it
least cause a Denial of Service Condition.
is critical to use it judiciously. We need to
These vulnerabilities should be considered critical particularly in setup where the affected
patch the security tools too, create layered
Antivirus Product is used for scanning incoming e-mails on a Mail Server.
defense, use multiple tools and create
Impact: An attacker can remotely break into a victim’s system by sending him a mail with
adequate failover mechanisms.
a malicious attachment. This vulnerability results in execution of malicious codes like Trojans,
The next part of this series will discuss
keyloggers, crimewares on the victim’s system to steal information. An attacker can also cause
further on vulnerabilities in security prod-
a Denial of Service condition using this vulnerability.
ucts and details of the measures that users
and product vendors should take to stay
How hackers can break into your a specific file which can crash the remote secure. 
system through antivirus? antivirus and sends it as an attachment to
Let us assume that a user is running the user. —By: Bikash Barai. He is the CEO & co-founder
an antivirus in your system. The antivirus Step 2: Antivirus scans the malicious of iViZ (www.ivizsecurity.com) — an On-Demand
checks for malicious code in the files proc- mail attachment—Once the malicious Penetration Testing company which provides
essed in the system. email is received, the vulnerable antivirus security testing for applications, networks and
Step 1: Hacker sends a mail with software tries to scan the malicious compliance. Additional credits to Abhisek Datta
malicious attachment—The attacker creates executable. In case of a vulnerable and iViZ Vulnerability Research Team.
a fa n at i c m e d i a p u b l i c at i o n | i n f o s e c u r i t y | m a r c h 2 0 0 9 25