Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Critical vulnerability in Zemana 2.0 products and not only
Message
<blockquote data-quote="military" data-source="post: 798003" data-attributes="member: 2141"><p> <ol> <li data-xf-list-type="ol">My english is bad. 1.2 Article in russian, and the link goes through an online translator.</li> <li data-xf-list-type="ol">At the end of the article there is a response from the developer. But my goal is to create this topic - I want a more detailed explanation from the developer. I do not really believe in the complexity of solving the problem due to the large number of rebranding partners.</li> <li data-xf-list-type="ol">I like the ZA and I will continue to use it. But true only with 3 beta versions.</li> </ol><p></p><p></p><p>Article from <strong>Google Translate</strong>:</p><p>It is no secret to anyone that installing an anti-virus product could open up additional attack vectors, but I was very surprised that the search and exploitation of similar vulnerabilities in some products even in 2018 is not a problem. </p><p></p><p><img src="https://habrastorage.org/webt/3a/vo/p2/3avop2ymcnmsrbb2pd3q4_hq5ic.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Woops </p><p>The discovered vulnerability is contained in the procedure for updating the antivirus product. Update configuration files are transmitted over the usual http connection and can be read by a person (which is not a vulnerability). The responses from the company's servers have found links to update files that the antivirus executes when a new version is detected. </p><p></p><p><img src="https://habrastorage.org/webt/rj/oa/ad/rjoaadv6l3o3lqb0ksxohy6ffty.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Update url </p><p></p><p>Very surprising is the fact that even a simple substitution of the URL file on the third-party led to a <strong>strange</strong>warning antivirus. </p><p></p><p><img src="https://habrastorage.org/webt/g6/cp/nk/g6cpnkgt1at2wkjxtwepucjcsx0.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Do you want to execute any file with system rights? </p><p></p><p>If the user, without noticing the trick, agreed, then the antivirus downloaded the third-party file on the computer and performed it with the SYSTEM privileges. And it could be not necessarily a user with administrator privileges. </p><p>However, navryatli who in their right mind would agree to install such an "update". Let's look at the possibility of <strong>bypassing</strong> this notification. All update files are digitally signed and <strong>must be</strong> verified before execution. Let's look at the “ZmnAppUpdater” function and see an interesting section of the place where the “SignatureChecker” function is called in the ZAM.exe file </p><p></p><p><img src="https://habrastorage.org/webt/1w/d_/wa/1wd_wanykybzj-kuewh0kvhrac0.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>Missed check </p><p></p><p>This function should verify the digital signature of the exe file and return the verification result code. However, in the “ZmnAppUpdater” function, the authors forgot to do this (the result is EAX = 0x80096010 (TRUST_E_BAD_DIGEST)). Thus, it is possible <strong>to execute arbitrary code on a remote system with SYSTEM rights without user interaction</strong> just by running the man in the middle attack. We clone the Security directory of the original update file into a fake update file and do not care that the digital signature cannot be verified by the operating system. The Anti-Virus only checks for whose name the certificate is issued, but not its integrity. </p><p></p><p>Vulnerability with identifier CVE-2019-6440 has been fixed since versions 3.x (beta). </p><p></p><p>I will note one <strong>more interesting moment</strong> . It has been <strong>about a year</strong> since the transfer of information about the vulnerability to its actual correction (starting with versions 3x). Vulnerability is present in all products of the company, however <strong>, it was decided to postpone the release of the emergency patch</strong> until the release of the new major version. Representatives of the company said that the <strong>vulnerability is quite difficult to detect</strong>, in the development of a new major version and the company does not plan to release patches, as it has more than 20 rebranding partners. Of course, <strong>vulnerability is present in all products of partner companies</strong> . Moreover, the <strong>company, aware of the presence of a vulnerability, continues to actively promote versions with vulnerable code so far.</strong> </p><p>It would seem that a company engaged in information security should have released updates as soon as possible, however this is not the case and the safety of clients is not very worried about it. </p><p></p><p>Link: <a href="https://translate.google.com/translate?hl=ru&sl=ru&tl=en&u=https%3A%2F%2Fhabr.com%2Fru%2Fpost%2F439906%2F" target="_blank">Google Переводчик</a></p><p>Original: <a href="https://habr.com/ru/post/439906/" target="_blank">Критическая уязвимость в продуктах компании Zemana и не только</a></p></blockquote><p></p>
[QUOTE="military, post: 798003, member: 2141"] [LIST="1"] [*]My english is bad. 1.2 Article in russian, and the link goes through an online translator. [*]At the end of the article there is a response from the developer. But my goal is to create this topic - I want a more detailed explanation from the developer. I do not really believe in the complexity of solving the problem due to the large number of rebranding partners. [*]I like the ZA and I will continue to use it. But true only with 3 beta versions. [/LIST] Article from [B]Google Translate[/B]: It is no secret to anyone that installing an anti-virus product could open up additional attack vectors, but I was very surprised that the search and exploitation of similar vulnerabilities in some products even in 2018 is not a problem. [IMG]https://habrastorage.org/webt/3a/vo/p2/3avop2ymcnmsrbb2pd3q4_hq5ic.png[/IMG] Woops The discovered vulnerability is contained in the procedure for updating the antivirus product. Update configuration files are transmitted over the usual http connection and can be read by a person (which is not a vulnerability). The responses from the company's servers have found links to update files that the antivirus executes when a new version is detected. [IMG]https://habrastorage.org/webt/rj/oa/ad/rjoaadv6l3o3lqb0ksxohy6ffty.png[/IMG] Update url Very surprising is the fact that even a simple substitution of the URL file on the third-party led to a [B]strange[/B]warning antivirus. [IMG]https://habrastorage.org/webt/g6/cp/nk/g6cpnkgt1at2wkjxtwepucjcsx0.png[/IMG] Do you want to execute any file with system rights? If the user, without noticing the trick, agreed, then the antivirus downloaded the third-party file on the computer and performed it with the SYSTEM privileges. And it could be not necessarily a user with administrator privileges. However, navryatli who in their right mind would agree to install such an "update". Let's look at the possibility of [B]bypassing[/B] this notification. All update files are digitally signed and [B]must be[/B] verified before execution. Let's look at the “ZmnAppUpdater” function and see an interesting section of the place where the “SignatureChecker” function is called in the ZAM.exe file [IMG]https://habrastorage.org/webt/1w/d_/wa/1wd_wanykybzj-kuewh0kvhrac0.png[/IMG] Missed check This function should verify the digital signature of the exe file and return the verification result code. However, in the “ZmnAppUpdater” function, the authors forgot to do this (the result is EAX = 0x80096010 (TRUST_E_BAD_DIGEST)). Thus, it is possible [B]to execute arbitrary code on a remote system with SYSTEM rights without user interaction[/B] just by running the man in the middle attack. We clone the Security directory of the original update file into a fake update file and do not care that the digital signature cannot be verified by the operating system. The Anti-Virus only checks for whose name the certificate is issued, but not its integrity. Vulnerability with identifier CVE-2019-6440 has been fixed since versions 3.x (beta). I will note one [B]more interesting moment[/B] . It has been [B]about a year[/B] since the transfer of information about the vulnerability to its actual correction (starting with versions 3x). Vulnerability is present in all products of the company, however [B], it was decided to postpone the release of the emergency patch[/B] until the release of the new major version. Representatives of the company said that the [B]vulnerability is quite difficult to detect[/B], in the development of a new major version and the company does not plan to release patches, as it has more than 20 rebranding partners. Of course, [B]vulnerability is present in all products of partner companies[/B] . Moreover, the [B]company, aware of the presence of a vulnerability, continues to actively promote versions with vulnerable code so far.[/B] It would seem that a company engaged in information security should have released updates as soon as possible, however this is not the case and the safety of clients is not very worried about it. Link: [URL="https://translate.google.com/translate?hl=ru&sl=ru&tl=en&u=https%3A%2F%2Fhabr.com%2Fru%2Fpost%2F439906%2F"]Google Переводчик[/URL] Original: [URL="https://habr.com/ru/post/439906/"]Критическая уязвимость в продуктах компании Zemana и не только[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top