05-08-2020 , 01:44 PM
Avira Free Antivirus intercepts passwords from browsers and publishes them in the console
Engineers from Doctor Web found a dangerous vulnerability in Avira Free Antivirus. One of the main components of the protection program collects credentials from browsers
The results of the investigation were reported by the timlid and reverse engineer from the company "Doctor Web" Nikolenko Constantine (also known as Veliant). When analyzing the Avira Free Antivirus solution of the German company Avira GmbH & Co. KG has determined that one of the components collects credentials and displays them in the console.
Technical details
A vulnerability was detected while analyzing a component named "Avira.PWM. NativeMessaging .exe" located at "% ProgramFiles%\Avira\Launcher\." Its code is compiled for the .NET platform and is not obfuscated, which allows you to verify its functionality.
"Avira.PWM. NativeMessaging .exe" is a console utility that reads the user input and processes it further.
The Read function reads user input data from the Standard input (stdin) and passes it to the ProcessMessage function. If the passed command uses the fetchChromePasswords or fetchCredentials methods, the RetrievBrowserCredentials function is called.
In turn, the "RetrievBrowserCredentials" function collects the credentials saved by the user in browsers (Chrome, Firefox, Opera, Edge) and stores them as a JSON object. The collected data is then output to the terminal in a string form.
Risks of safety
The Avira.PWM. NativeMessaging .exe component causes several security issues. First, a binary file digitally signed by Avira collects user credentials. Second, the program calling the binary file is not verified in any way, that is, the call can initiate malware. Finally, the component works offline as a separate application.
A CVE-2020-12680 ID has been assigned to this vulnerability. Avira was informed of the problem on April 7, 2020, but a month later, the described component is still available in Avira 's Free Antivirus distribution. In addition, the German vendor did not respond to letters reporting vulnerability.
https://www.comss.ru/page.php?id=7430
https://habr.com/ru/post/500852/
Engineers from Doctor Web found a dangerous vulnerability in Avira Free Antivirus. One of the main components of the protection program collects credentials from browsers
The results of the investigation were reported by the timlid and reverse engineer from the company "Doctor Web" Nikolenko Constantine (also known as Veliant). When analyzing the Avira Free Antivirus solution of the German company Avira GmbH & Co. KG has determined that one of the components collects credentials and displays them in the console.
Technical details
A vulnerability was detected while analyzing a component named "Avira.PWM. NativeMessaging .exe" located at "% ProgramFiles%\Avira\Launcher\." Its code is compiled for the .NET platform and is not obfuscated, which allows you to verify its functionality.
"Avira.PWM. NativeMessaging .exe" is a console utility that reads the user input and processes it further.
The Read function reads user input data from the Standard input (stdin) and passes it to the ProcessMessage function. If the passed command uses the fetchChromePasswords or fetchCredentials methods, the RetrievBrowserCredentials function is called.
In turn, the "RetrievBrowserCredentials" function collects the credentials saved by the user in browsers (Chrome, Firefox, Opera, Edge) and stores them as a JSON object. The collected data is then output to the terminal in a string form.
Risks of safety
The Avira.PWM. NativeMessaging .exe component causes several security issues. First, a binary file digitally signed by Avira collects user credentials. Second, the program calling the binary file is not verified in any way, that is, the call can initiate malware. Finally, the component works offline as a separate application.
A CVE-2020-12680 ID has been assigned to this vulnerability. Avira was informed of the problem on April 7, 2020, but a month later, the described component is still available in Avira 's Free Antivirus distribution. In addition, the German vendor did not respond to letters reporting vulnerability.
https://www.comss.ru/page.php?id=7430
https://habr.com/ru/post/500852/