Check whether your antivirus is vulnerable to exploitable RWX addresses - gHacks Tech News

Check whether your antivirus is vulnerable to exploitable RWX addresses

AV Vulnerability Checker is a free program for Windows that determines whether antivirus software installed on the computer is vulnerable to exploitable constant Read-Write-Execute (RWX) addresses.

Vulnerabilities are bad, regardless whether they are found in the operating system or programs running on it. One of the worst kind affects security software, programs that are designed to protect the system from attacks.

Ensilo, the company behind the product of the same name that "offers a real-time exfiltration prevention platform against advanced targeted attacks", revealed the security vulnerability that is affecting various antivirus products in a recent blog post.

It discovered the vulnerability while investigation a collision of the company's own enSilo product with AVG antivirus software.

Vulnerable anti-virus solutions "allocate a memory page with Read, Write, Execute permissions at a constant predictable address" and for various user-mode processes including those of web browsers or Adobe Reader.

The vulnerability enables attackers to bypass certain Windows mitigations against exploits, for instance ASLR or DEP since the attacker knows where to write and run code.

The company found the vulnerability in several antivirus products including McAfee Virus Scan for Enterprise version 8.8, Kaspersky Total Security 2015 and AVG Internet Security 2015.

Both AVG and McAfee appear to have fixed the issue in recent updates already.

avulnerabilitychecker

Ensilo released a program for Windows that tests other antivirus solutions for the vulnerability. The tool is available on Github.

  1. Click on download on Github and download the archive to the local system.
  2. Extract the archive afterwards to a local directory.
  3. Run AVulnerabilityChecker.exe.

The program tests the vulnerability using web browsers on the system. For it to work, you need to have a web browser open, and close it when the program requests you to do it.

Then you need to restart the web browser and open at least two new tabs in it. The program will then check whether the vulnerability can be exploited on the system.

Any memory region that exists in both scans is likely predictable and the program indicates this by listing those addresses and processes.

What it won't do is reveal the security solution that is vulnerable to the attack. The researchers suggest that you use a debugger to find that out, but if that sounds too complicated, you may want to disable security software instead and re-run the tests to find the culprit or culprits this way.

If you find out that a product that you run is vulnerable, there is little that you can do about it. After making sure that it is up to date, you may inform the developer of the program about the vulnerability.

Summary
Check whether your antivirus is vulnerable to exploitable RWX addresses
Article Name
Check whether your antivirus is vulnerable to exploitable RWX addresses
Description
AV Vulnerability Checker is a free program for Windows that determines whether antivirus software installed on the computer is vulnerable to a RWX exploit.
Author
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. weasman said on December 11, 2015 at 12:55 am
    Reply

    Tried it and my system is not vulnerable. Using Kaspersky Internet Security 16

    1. Anonymous said on December 18, 2015 at 1:10 am
      Reply

      Bitdefender Internet Security 2016 Build 20.0.24.1290 is VULNERABLE with Windows 10.0.10586.17 & Google Chrome 47.0.2526.80 m

  2. Mike O said on December 11, 2015 at 1:04 am
    Reply

    AVulnerabilityChecker would not work with Palemoon. It indicates no browser found. I then tried IE and the program ran correctly.

  3. weaseman said on December 11, 2015 at 1:15 am
    Reply

    Like Mike O says, not working with Pale Moon. Program just closed on me. Using Win 7

  4. ustavio said on December 11, 2015 at 1:47 am
    Reply

    Panda neutralized the executable on Firefox 42 as suspicious. I’m thinking this is a good thing?

  5. Daniel said on December 11, 2015 at 2:21 am
    Reply

    File blocked by 360 Total Security.

  6. jasray said on December 11, 2015 at 2:29 am
    Reply

    May want to read what is really going on. The brief article here suggests that the vulnerability is a “browser” issue which it is not. The RWX vulnerability may exist in any application. As of September, all AV products had been patched. It’s really a MS issue, one of an unintended operating system design problem that is most likely mitigated by running EMET.

    http://blog.ensilo.com/the-av-vulnerability-that-bypasses-mitigations

    1. Martin Brinkmann said on December 11, 2015 at 7:42 am
      Reply

      The “brief article” does not suggest that it is a browser issue.

      1. jasray said on December 11, 2015 at 3:04 pm
        Reply

        I beg to differ after searching for and reading the original article. The synopsis here implies only “user-mode processes including those of web browsers or Adobe Reader” and the browser that is used to check for the vulnerability may be affected.

        As well, the news comes from September when all of the referenced AV software in the article patched the products in question.

        By comparing the written brief here with the original Ensilo information, one discovers that any number of programs on a computer may be vulnerable, and the “tool” does nothing to identify which program may be vulnerable, only that one out of, perhaps, 90, could be compromising the security of a Windows system.

        What then should a reader do who discovers his/her system is vulnerable? There’s no mention of steps to take. All great information, Martin, but . . . it’s like telling someone to use a thermometer to check for fever. Say the “someone” has a fever.

        Next?

        “There is little that you can do about it.”

        Pointless diatribe?

      2. Corky said on December 11, 2015 at 8:49 pm
        Reply

        It’s got nothing to do with other programs, the AV programs created a hook in memory for each user-mode processes launched, a hook that used the same memory address each instance of the user-mode processes, it’s why they used two browser processes to cross reference the two and find the memory address that the AV program was using.

        It was without doubt a problem with the AV software, that’s unless you’re suggesting that the AV software devs wrote patches for software that they have no experience with.

    2. Corky said on December 11, 2015 at 2:04 pm
      Reply

      It’s not in the browser, in fact the article you posted a link to actually say as much.

      “It is important to note that although we use browsers to check this vulnerability – the vulnerability is not in the browser”

  7. ayyy said on December 11, 2015 at 3:49 am
    Reply

    Hey Martin
    It gives me the message: (Your computer is likely to be vulnerable to exploitable constant RWX addresses) Even when my antivirus is shut off it gives me that message. Does that mean that my antivirus is clear or does that mean that my antivirus and something else is vulnerable?

    1. Martin Brinkmann said on December 11, 2015 at 8:00 am
      Reply

      Must be another program then, I fear that you will have to use a debugger in this case to find out.

  8. Moloch said on December 11, 2015 at 1:31 pm
    Reply

    Shame it didnt detect PaleMoon being an active browser, had to go back to IE, still said it wasnt vulnerable, though Panda never had to block anything, strange :)

  9. Johny said on December 11, 2015 at 5:55 pm
    Reply

    In the source code it’s easy to see that it only tests for the vulnerability in the following processes : “chrome.exe”, “iexplore.exe”, “firefox.exe”.

  10. Andy said on December 11, 2015 at 11:34 pm
    Reply

    i got BSOD when i clicked on the program anyone else get this

  11. Andy said on December 11, 2015 at 11:35 pm
    Reply

    i had a BSOD when i clicked the program. Anyone else have this problem

  12. Tim H. said on December 13, 2015 at 1:11 am
    Reply

    Is there any easy way to check which application is vulnerable?
    Thank you.

  13. doruk said on December 18, 2015 at 1:11 am
    Reply

    Bitdefender Internet Security 2016 Build 20.0.24.1290 is VULNERABLE with Windows 10.0.10586.17 & Google Chrome 47.0.2526.80 m

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.