Sachin Posted July 1, 2016 Report Share Posted July 1, 2016 Security Advisory - Immunet Antivirus DLL Hijacking Vulnerability Summary Immunet is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security. Immunet Antivirus contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to some DLL file is loaded by ‘ImmunetSetup.exe’ improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge. Affected Product: Immunet 3 Download Link: https://s3.amazonaws.com/immunet-site/production/ImmunetSetup.exe Impact Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to Successful exploits the system if user creates shell as a DLL. Vulnerability Scoring Details The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) Technique Details 1. Prerequisite: The attacker can access the device; 2. Attacking procedure: This vulnerability exists due to the way DLL files are loaded by Immunet Antivirus. It allows an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge. The specific flaw exists within the handling of some DLL file loading by the Immunet Antivirus process. Note : For more detail POC please check the mail send on support@immunet.com Credit: Sachin Wagh (tiger_tigerboy) Wsachin092@gmail.com Link to comment Share on other sites More sharing options...
ritchie58 Posted July 1, 2016 Report Share Posted July 1, 2016 Interesting post but a bit disconcerting to say the least! If this dll file vulnerability does exist, to my knowledge no one has reported that this supposed exploit has been actually used in the wild thus far. I do hope that the Immunet development team does take this possible issue into consideration and do some research to authenticate if the vulnerability does actually exist. I believe that would be the prudent thing to do! Regards, Ritchie...P.S. - That's one of the reasons why I don't keep all my eggs in the same basket so to speak. I use multiple layers of protection and don't rely on just Immunet or FireAMP Connector (which I'm currently using) to keep me safe. Link to comment Share on other sites More sharing options...
Sachin Posted July 4, 2016 Author Report Share Posted July 4, 2016 Thanks Ritchie, Please let me know is there any plan to fix it as it is critical and compromising confidentiality ,Integrity, Availability. So will I wait for the fix and after patching the bug will disclose it publicly. Thanks, Sachin Wagh Link to comment Share on other sites More sharing options...
ritchie58 Posted July 5, 2016 Report Share Posted July 5, 2016 I know from experience that software programs can sometimes manifest zero-day vulnerabilities. I use a program that monitors activity using multiple drives. As it turns out, at that time, the current version had a buffer overrun vulnerability in several dll files. The developers, of course, released a new bug-fix version to address the issue as soon as possible once the exploit was recognized. Since no one has reported any problems I do have to view this with a little bit of skepticism.That's not to say that your post is not without merit. Like I said in the previous post it wouldn't be a bad idea to do some internal investigation by the powers that be to substantiate or deny these claims. Regards, Ritchie... Link to comment Share on other sites More sharing options...
chen Posted July 8, 2016 Report Share Posted July 8, 2016 I have sent a letter to Immunet development team, the following are Immunet development team Reply. [We're currently looking into the DLL hijacking vulnerability, we'll report back with our findings soon] Link to comment Share on other sites More sharing options...
Sachin Posted July 8, 2016 Author Report Share Posted July 8, 2016 Thanks. I will wait. Please let me know if anything required from my side. Thanks, Sachin Wagh Link to comment Share on other sites More sharing options...
Sachin Posted July 11, 2016 Author Report Share Posted July 11, 2016 Hi Team, Any update on this. Thanks, Sachin Wagh Link to comment Share on other sites More sharing options...
ritchie58 Posted July 12, 2016 Report Share Posted July 12, 2016 Hello ryuusei! Glad to hear from you again! I agree with you Sachin, I would also like a definitive answer regarding this possible exploit! There is a new 4.0 version due out soon so if a bug does exist that would be a "great" time to rectify the situation before the new roll-out takes place. Regards, Ritchie... Link to comment Share on other sites More sharing options...
Sachin Posted July 12, 2016 Author Report Share Posted July 12, 2016 Hi Ritchie, Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. I think in the POC video I shown execution of calc.exe through affected software. An attacker gain access to the system if attackers creates shell as a DLL instead of calc (dll) that i shown in the video. If you are interested I will shown the same. How attacker will gain access to the system and control it. Thanks, Sachin Wagh Link to comment Share on other sites More sharing options...
EugeneC Posted July 12, 2016 Report Share Posted July 12, 2016 Hi all, Thank you to Sachin for bringing this to our attention. We take these vulnerabilities seriously and greatly appreciate your assistance in letting us know. Our development team is currently looking potential solutions, and we are hoping to get the fix in with the update for Immunet that Ritchie mentioned, which is currently scheduled to be released sometime in the next month or two. If our team requires more assistance we will reach out to you via email. Thanks again! Eugene Link to comment Share on other sites More sharing options...
Sachin Posted July 14, 2016 Author Report Share Posted July 14, 2016 Hello, I have send one mail on support@immunet.com nearly one day before regarding acknowledgement letter. Please revert back on same. Waiting for you reply. Thanks, Sachin Wagh Link to comment Share on other sites More sharing options...
fblais Posted August 10, 2016 Report Share Posted August 10, 2016 Was this fixed with the new beta (rev 5)? Link to comment Share on other sites More sharing options...
Sachin Posted August 10, 2016 Author Report Share Posted August 10, 2016 Hello, I did not checked. Can you please provide the download link for same. So i can test it. Thanks, Sachin Link to comment Share on other sites More sharing options...
fblais Posted August 11, 2016 Report Share Posted August 11, 2016 The link is given on Immunet's homepage, but here it is: https://download.immunet.com/binaries/immunet/bin/ImmunetSetup-5.0.0-beta.exe Thanks! Link to comment Share on other sites More sharing options...
Sachin Posted August 11, 2016 Author Report Share Posted August 11, 2016 Thanks, I will test it. Is their any credit to me (Bounty/Swag). Thanks. Link to comment Share on other sites More sharing options...
Master_Kaina Posted September 10, 2016 Report Share Posted September 10, 2016 Hello, I am new to the forums (I normally don't post to sites).I felt compelled to go through the registration process here in order to post because I am very concerned. I was going to post this in a malware forum or something similar until I found this one potentially related. Please let me know if this belongs somewhere else (I am tempted to post this again in one of the other forums but I will give some time for a reply here before doing so).I had multiple scans via Virus Total (was just checking all files in my downloads folder for safety before transferring them to a new computer) and it flagged the installation file ImmunetSetup-5.0.0.exe as a virus (file infector)! I then downloaded a new one with the same results for ImmunetSetup.exe! Unfortunately, I downloaded this program and installed it sometime ago on my laptop WITHOUT scanning it via online sites first (yes I know my fault - I only used AVG, Malwarebytes, and Spybot).Invincea AV listed a virus.win32.sality.at found in the Immunet 5 installation file! The file is digitally signed by Sourcefire Inc. and was downloaded from Immunet's official site. I read that files could be attached to these posts but I am still not seeing that option here otherwise I would have attached both Immunet 5 installation files. I also do not see an option to upload the screenshot I took (only allows from a URL) but here is the link: https://www.virustotal.com/en/file/9a36e4cc9fc8810ecc8815a478370ef451f9c6603300e4b2067e79cfaaabd4ac/analysis/1473473393/.Is this a false positive? If so, what measures will be taken to correct this? My research shows that the virus.win32.sality.at is EXTREMELY DANGEROUS!Thank you in advance for addressing this issue.Best Regards,Mike P.S. I reposted this to the Issues/Defects forum here. It allowed me to attach the screenshots but not the actual Immunet 5 setup files. P.P.S. Ok so NOW it's showing me the "Full Editor" so I have attached the 2 screenshots (but I still cannot attach the Immunet 5 setup files). P.P.P.S. Here is the most recent one . . . Link to comment Share on other sites More sharing options...
yummy Posted September 24, 2017 Report Share Posted September 24, 2017 Thanks, I will test it. Is their any credit to me (Bounty/Swag). Thanks. Sachin, were you ever credited for this vuln? Did this have a happy ending? Link to comment Share on other sites More sharing options...
ritchie58 Posted October 5, 2017 Report Share Posted October 5, 2017 Hi yummy, there is a happy ending for this vulnerability! The Immunet team has just released a 6.0.6.10600 build that addresses & eliminates this installer vulnerability issue. The new build will be pushed to users through the UI or you can click on the link below to get the new bootstrapper installer. I had no issues updating from the 6.0.4 to the 6.0.6 build through the UI. I didn't even need to re-boot after updating, which was nice. Here's a copy of what the Admin. KrisD posted in the Announcements section today: We have released Immunet version 6.0.6. This release addresses a DLL hijacking vulnerability in the Immunet installer. We will provide more information about the vulnerability, including the CVE, after the official disclosure date. Credit goes to Sachin Wagh (tiger_tigerboy, Wsachin092@gmail.com) for discovering this vulnerablity and bringing it to our attention. As with other releases, this new version is available for download from https://www.immunet.com, as well as via the Immunet UI if you currently Immunet 6.0.0 or earlier installed. The Immunet Protect team Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.