Jump to content
Sachin

Security Advisory - Immunet Antivirus Dll Hijacking Vulnerability

Recommended Posts

Security Advisory - Immunet Antivirus DLL Hijacking Vulnerability

 

Summary

 

Immunet® is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security.

 

Immunet Antivirus contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to some DLL file is loaded by ‘ImmunetSetup.exe’ improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge.

 

Affected Product:

 

Immunet 3

 

Download Link: https://s3.amazonaws.com/immunet-site/production/ImmunetSetup.exe

 

Impact

 

Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to Successful exploits the system if user creates shell as a DLL.

 

Vulnerability Scoring Details

 

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

 

Technique Details

 

1. Prerequisite:

The attacker can access the device;

2. Attacking procedure:

This vulnerability exists due to the way DLL files are loaded by Immunet Antivirus. It allows an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge. The specific flaw exists within the handling of some DLL file loading by the Immunet Antivirus process.

 

Note : For more detail POC please check the mail send on support@immunet.com

 

Credit:

 

Sachin Wagh (tiger_tigerboy)

 

Wsachin092@gmail.com

post-33415-0-25624200-1467403604_thumb.png

Share this post


Link to post
Share on other sites

Interesting post but a bit disconcerting to say the least! If this dll file vulnerability does exist, to my knowledge no one has reported that this supposed exploit has been actually used in the wild thus far.

 

I do hope that the Immunet development team does take this possible issue into consideration and do some research to authenticate if the vulnerability does actually exist. I believe that would be the prudent thing to do!

 

Regards, Ritchie...

P.S. - That's one of the reasons why I don't keep all my eggs in the same basket so to speak. I use multiple layers of protection and don't rely on just Immunet or FireAMP Connector (which I'm currently using) to keep me safe.

Share this post


Link to post
Share on other sites

Thanks Ritchie,

 

Please let me know is there any plan to fix it as it is critical and compromising confidentiality ,Integrity, Availability. So will I wait for the fix and after patching the bug will disclose it publicly.

 

Thanks,

 

Sachin Wagh

Share this post


Link to post
Share on other sites

I know from experience that software programs can sometimes manifest zero-day vulnerabilities. I use a program that monitors activity using multiple drives. As it turns out, at that time, the current version had a buffer overrun vulnerability in several dll files. The developers, of course, released a new bug-fix version to address the issue as soon as possible once the exploit was recognized. 

Since no one has reported any problems I do have to view this with a little bit of skepticism.

That's not to say that your post is not without merit. Like I said in the previous post it wouldn't be a bad idea to do some internal investigation by the powers that be to substantiate or deny these claims. 

 

Regards, Ritchie...

Share this post


Link to post
Share on other sites

I have sent a letter to Immunet development team, the following are Immunet development team Reply.

[We're currently looking into the DLL hijacking vulnerability, we'll report back with our findings soon]

Share this post


Link to post
Share on other sites

Hello ryuusei! Glad to hear from you again!

 

I agree with you Sachin, I would also like a definitive answer regarding this possible exploit!

 

There is a new 4.0 version due out soon so if a bug does exist that would be a "great" time to rectify the situation before the new roll-out takes place.

 

Regards, Ritchie...

Share this post


Link to post
Share on other sites
Hi Ritchie,

 

Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. 

 

I think in the POC video I shown execution of calc.exe through affected software. 

 

An attacker gain access to the system if attackers creates shell as a DLL instead of calc (dll) that i shown in the video.

 

If you are interested I will shown the same. How attacker will gain access to the system and control it. 

 

Thanks,

 

Sachin Wagh

Share this post


Link to post
Share on other sites

Hi all,

 

Thank you to Sachin for bringing this to our attention. We take these vulnerabilities seriously and greatly appreciate your assistance in letting us know. Our development team is currently looking potential solutions, and we are hoping to get the fix in with the update for Immunet that Ritchie mentioned, which is currently scheduled to be released sometime in the next month or two.

 

If our team requires more assistance we will reach out to you via email.

 

Thanks again!

Eugene

Share this post


Link to post
Share on other sites
Hello,

 

I have send one mail on support@immunet.com nearly one day before regarding acknowledgement letter. Please revert back on same. 

 

Waiting for you reply.

 

 

Thanks,

 

Sachin Wagh

Share this post


Link to post
Share on other sites

Hello, I am new to the forums (I normally don't post to sites).
I felt compelled to go through the registration process here in order to post because I am very concerned. I was going to post this in a malware forum or something similar until I found this one potentially related. Please let me know if this belongs somewhere else (I am tempted to post this again in one of the other forums but I will give some time for a reply here before doing so).

I had multiple scans via Virus Total (was just checking all files in my downloads folder for safety before transferring them to a new computer) and it flagged the installation file ImmunetSetup-5.0.0.exe as a virus (file infector)! I then downloaded a new one with the same results for ImmunetSetup.exe! Unfortunately, I downloaded this program and installed it sometime ago on my laptop WITHOUT scanning it via online sites first (yes I know my fault - I only used AVG, Malwarebytes, and Spybot).
Invincea AV listed a virus.win32.sality.at found in the Immunet 5 installation file! The file is digitally signed by Sourcefire Inc. and was downloaded from Immunet's official site. I read that files could be attached to these posts but I am still not seeing that option here otherwise I would have attached both Immunet 5 installation files. I also do not see an option to upload the screenshot I took (only allows from a URL) but here is the link: https://www.virustotal.com/en/file/9a36e4cc9fc8810ecc8815a478370ef451f9c6603300e4b2067e79cfaaabd4ac/analysis/1473473393/.

Is this a false positive? If so, what measures will be taken to correct this? My research shows that the virus.win32.sality.at is EXTREMELY DANGEROUS!

Thank you in advance for addressing this issue.

Best Regards,
Mike

 

P.S.

I reposted this to the Issues/Defects forum here. It allowed me to attach the screenshots but not the actual Immunet 5 setup files.

 

P.P.S.

Ok so NOW it's showing me the "Full Editor" so I have attached the 2 screenshots (but I still cannot attach the Immunet 5 setup files).

 

post-33702-0-27612700-1473477848_thumb.jpg

 

post-33702-0-13018300-1473477940_thumb.jpg

 

P.P.P.S.

Here is the most recent one . . .

 

post-33702-0-95369800-1473478058_thumb.jpg

Edited by Master_Kaina

Share this post


Link to post
Share on other sites

Thanks,

 

I will  test it. Is their any credit to me (Bounty/Swag).

 

Thanks.

 

 

Sachin, were you ever credited for this vuln? Did this have a happy ending? 

Share this post


Link to post
Share on other sites

Hi yummy, there is a happy ending for this vulnerability! The Immunet team has just released a 6.0.6.10600 build that addresses & eliminates this installer vulnerability issue. The new build will be pushed to users through the UI or you can click on the link below to get the new bootstrapper installer. I had no issues updating from the 6.0.4 to the 6.0.6 build through the UI. I didn't even need to re-boot after updating, which was nice.

 

Here's a copy of what the Admin. KrisD posted in the Announcements section today:


We have released Immunet version 6.0.6. 
 
This release addresses a DLL hijacking vulnerability in the Immunet installer. We will provide more information about the vulnerability, including the CVE, after the official disclosure date.
 
Credit goes to Sachin Wagh (tiger_tigerboy, Wsachin092@gmail.com) for discovering this vulnerablity and bringing it to our attention.
 
As with other releases, this new version is available for download from https://www.immunet.com, as well as via the Immunet UI if you currently Immunet 6.0.0 or earlier installed.
 
The Immunet Protect team

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×