You know, I rarely look into binary code, my reverse engineering skills being rudimentary. I mostly investigate the JavaScript code of applications. So I am amazed by the fact that I published three (!) RCE vulnerabilities in antivirus applications this year. 1/5

1) Avast Secure Browser did everything in their power to maximize the attack surface. The attack worked because two security mechanisms were explicitly disabled for no good reason. Arbitrary code execution from any website. 2/5

Show thread

2) McAfee WebAdvisor is sloppy when handling HTML code, the browser extension is full of potential XSS vulnerabilities. One of those was exploitable, turned out that even CSP won't always save you then. Administrator privileges from any website. 3/5

Show thread

3) Bitdefender replaces browsers' built-in SSL warning pages which is surprisingly problematic. Quite remarkable what one can do with the security tokens found there. Arbitrary code execution from any website when opened in any browser. 4/5

Show thread

All of that without any fancy buffer overflows or such, merely abusing existing application logic. Could it be that antivirus vendors focused so much on hardening their binary code that they forgot the low-hanging fruit? And is it really hardened?

To be continued… 5/5

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.