There is a vulnerability in Microsoft’s Application Verifier. Application Verifier is a runtime verification tool for unmanaged code. An authenticated attacker can leverage this to inject their own custom verifier into any process. An attacker can take full control of the AV by injecting code and bypassing all of its self-protection mechanisms.
Exploitation
Stages
- An authenticated attacker (within admin privileges) injects Double_Agent DLL into antivirus process (one of a number of attack vectors).
- The attacker has full control over the antivirus product to inject further code.
Prerequisites
The attacker must have authenticated access to the system.
Vulnerability Description
There is a vulnerability in Microsoft’s Application Verifier. Application Verifier is a runtime verification tool for unmanaged code. An authenticated attacker can leverage this to inject their own custom verifier into any process. According to the original third party researchers, once the custom verifier has been injected, the attacker has full control of the application. There are several reported attack vectors, but currently the only demonstrably exploitable vector is attacking antivirus products. An attacker can take full control of the application verifier by injecting code and bypassing all of its self-protection mechanism.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch™ for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
Update to the latest version of your antivirus software.
Comments
0 comments
Please sign in to leave a comment.