Jump to content


Photo

Security Advisory - Immunet Antivirus Dll Hijacking Vulnerability

Vulnerability (Bug)

  • Please log in to reply
15 replies to this topic

#1 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 01 July 2016 - 08:09 PM

Security Advisory - Immunet Antivirus DLL Hijacking Vulnerability

 

Summary

 

Immunet® is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security.

 

Immunet Antivirus contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to some DLL file is loaded by ‘ImmunetSetup.exe’ improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge.

 

Affected Product:

 

Immunet 3

 

Download Link: https://s3.amazonaws...mmunetSetup.exe

 

Impact

 

Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to Successful exploits the system if user creates shell as a DLL.

 

Vulnerability Scoring Details

 

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

 

Technique Details

 

1. Prerequisite:

The attacker can access the device;

2. Attacking procedure:

This vulnerability exists due to the way DLL files are loaded by Immunet Antivirus. It allows an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge. The specific flaw exists within the handling of some DLL file loading by the Immunet Antivirus process.

 

Note : For more detail POC please check the mail send on support@immunet.com

 

Credit:

 

Sachin Wagh (tiger_tigerboy)

 

Wsachin092@gmail.com

Attached Files



#2 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,801 posts
  • LocationOil City, Pa. U.S.A.

Posted 01 July 2016 - 11:10 PM

Interesting post but a bit disconcerting to say the least! If this dll file vulnerability does exist, to my knowledge no one has reported that this supposed exploit has been actually used in the wild thus far.

 

I do hope that the Immunet development team does take this possible issue into consideration and do some research to authenticate if the vulnerability does actually exist. I believe that would be the prudent thing to do!

 

Regards, Ritchie...

P.S. - That's one of the reasons why I don't keep all my eggs in the same basket so to speak. I use multiple layers of protection and don't rely on just Immunet or FireAMP Connector (which I'm currently using) to keep me safe.


* Immunet Global Forum Moderator *


#3 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 04 July 2016 - 12:20 PM

Thanks Ritchie,

 

Please let me know is there any plan to fix it as it is critical and compromising confidentiality ,Integrity, Availability. So will I wait for the fix and after patching the bug will disclose it publicly.

 

Thanks,

 

Sachin Wagh



#4 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,801 posts
  • LocationOil City, Pa. U.S.A.

Posted 05 July 2016 - 01:58 AM

I know from experience that software programs can sometimes manifest zero-day vulnerabilities. I use a program that monitors activity using multiple drives. As it turns out, at that time, the current version had a buffer overrun vulnerability in several dll files. The developers, of course, released a new bug-fix version to address the issue as soon as possible once the exploit was recognized. 

Since no one has reported any problems I do have to view this with a little bit of skepticism.

That's not to say that your post is not without merit. Like I said in the previous post it wouldn't be a bad idea to do some internal investigation by the powers that be to substantiate or deny these claims. 

 

Regards, Ritchie...


* Immunet Global Forum Moderator *


#5 ryuusei

ryuusei

    Advanced Member

  • Members
  • PipPipPip
  • 36 posts

Posted 08 July 2016 - 11:57 AM

I have sent a letter to Immunet development team, the following are Immunet development team Reply.

[We're currently looking into the DLL hijacking vulnerability, we'll report back with our findings soon]



#6 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 08 July 2016 - 12:06 PM

Thanks.

 

I will wait.

 

Please let me know if anything required from my side.

 

 

Thanks,

 

Sachin Wagh



#7 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 11 July 2016 - 04:01 PM

Hi Team, 

 

Any update on this.

 

 

Thanks,

 

Sachin Wagh



#8 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,801 posts
  • LocationOil City, Pa. U.S.A.

Posted 12 July 2016 - 03:34 AM

Hello ryuusei! Glad to hear from you again!

 

I agree with you Sachin, I would also like a definitive answer regarding this possible exploit!

 

There is a new 4.0 version due out soon so if a bug does exist that would be a "great" time to rectify the situation before the new roll-out takes place.

 

Regards, Ritchie...


* Immunet Global Forum Moderator *


#9 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 12 July 2016 - 02:16 PM

Hi Ritchie,
 
Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. 
 
I think in the POC video I shown execution of calc.exe through affected software. 
 
An attacker gain access to the system if attackers creates shell as a DLL instead of calc (dll) that i shown in the video.
 
If you are interested I will shown the same. How attacker will gain access to the system and control it. 
 
Thanks,
 
Sachin Wagh


#10 EugeneC

EugeneC

    Admin

  • Administrators
  • 9 posts

Posted 12 July 2016 - 07:44 PM

Hi all,

 

Thank you to Sachin for bringing this to our attention. We take these vulnerabilities seriously and greatly appreciate your assistance in letting us know. Our development team is currently looking potential solutions, and we are hoping to get the fix in with the update for Immunet that Ritchie mentioned, which is currently scheduled to be released sometime in the next month or two.

 

If our team requires more assistance we will reach out to you via email.

 

Thanks again!

Eugene



#11 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 14 July 2016 - 10:49 AM

Hello,
 
I have send one mail on support@immunet.com nearly one day before regarding acknowledgement letter. Please revert back on same. 
 
Waiting for you reply.
 
 
Thanks,
 
Sachin Wagh


#12 fblais

fblais

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 10 August 2016 - 12:18 PM

Was this fixed with the new beta (rev 5)?


Windows 7 home premium SP1 x86, Immunet beta, MBAE free, Panda free


#13 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 10 August 2016 - 12:26 PM

Hello,

 

I did not checked. Can you please provide the download link for same. So i can test it.

 

Thanks,

 

Sachin



#14 fblais

fblais

    Advanced Member

  • Members
  • PipPipPip
  • 35 posts

Posted 11 August 2016 - 04:30 PM

The link is given on Immunet's homepage, but here it is:

https://download.imm...-5.0.0-beta.exe

 

Thanks!


Windows 7 home premium SP1 x86, Immunet beta, MBAE free, Panda free


#15 Sachin

Sachin

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 11 August 2016 - 04:34 PM

Thanks,

 

I will  test it. Is their any credit to me (Bounty/Swag).

 

Thanks.


  • Dave Mc likes this

#16 Master_Kaina

Master_Kaina

    Newbie

  • Members
  • Pip
  • 3 posts
  • LocationU.S.A.

Posted 10 September 2016 - 02:50 AM

Hello, I am new to the forums (I normally don't post to sites).
I felt compelled to go through the registration process here in order to post because I am very concerned. I was going to post this in a malware forum or something similar until I found this one potentially related. Please let me know if this belongs somewhere else (I am tempted to post this again in one of the other forums but I will give some time for a reply here before doing so).

I had multiple scans via Virus Total (was just checking all files in my downloads folder for safety before transferring them to a new computer) and it flagged the installation file ImmunetSetup-5.0.0.exe as a virus (file infector)! I then downloaded a new one with the same results for ImmunetSetup.exe! Unfortunately, I downloaded this program and installed it sometime ago on my laptop WITHOUT scanning it via online sites first (yes I know my fault - I only used AVG, Malwarebytes, and Spybot).
Invincea AV listed a virus.win32.sality.at found in the Immunet 5 installation file! The file is digitally signed by Sourcefire Inc. and was downloaded from Immunet's official site. I read that files could be attached to these posts but I am still not seeing that option here otherwise I would have attached both Immunet 5 installation files. I also do not see an option to upload the screenshot I took (only allows from a URL) but here is the link: https://www.virustot...sis/1473473393/.

Is this a false positive? If so, what measures will be taken to correct this? My research shows that the virus.win32.sality.at is EXTREMELY DANGEROUS!

Thank you in advance for addressing this issue.

Best Regards,
Mike

 

P.S.

I reposted this to the Issues/Defects forum here. It allowed me to attach the screenshots but not the actual Immunet 5 setup files.

 

P.P.S.

Ok so NOW it's showing me the "Full Editor" so I have attached the 2 screenshots (but I still cannot attach the Immunet 5 setup files).

 

Attached File  Immunet Virus.JPG   32.5KB   0 downloads

 

Attached File  Immunet Virus 2.JPG   40.23KB   0 downloads

 

P.P.P.S.

Here is the most recent one . . .

 

Attached File  Capture.JPG   38.67KB   0 downloads


Edited by Master_Kaina, 10 September 2016 - 03:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users