Security Advisory - Immunet Antivirus Dll Hijacking Vulnerability

[Sachin]

Security Advisory - Immunet Antivirus DLL Hijacking Vulnerability

 

Summary

 

Immunet is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security.

 

Immunet Antivirus contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to some DLL file is loaded by ‘ImmunetSetup.exe’ improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge.

 

Affected Product:

 

Immunet 3

 

Download Link: https://s3.amazonaws.com/immunet-site/production/ImmunetSetup.exe

 

Impact

 

Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. This may help attacker to Successful exploits the system if user creates shell as a DLL.

 

Vulnerability Scoring Details

 

The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/).

Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

 

Technique Details

 

1. Prerequisite:

The attacker can access the device;

2. Attacking procedure:

This vulnerability exists due to the way DLL files are loaded by Immunet Antivirus. It allows an attacker to load a DLL file of the attacker’s choosing that could execute arbitrary code without the user's knowledge. The specific flaw exists within the handling of some DLL file loading by the Immunet Antivirus process.

 

Note : For more detail POC please check the mail send on support@immunet.com

 

Credit:

 

Sachin Wagh (tiger_tigerboy)

 

Wsachin092@gmail.com

[ritchie58]

Interesting post but a bit disconcerting to say the least! If this dll file vulnerability does exist, to my knowledge no one has reported that this supposed exploit has been actually used in the wild thus far.

 

I do hope that the Immunet development team does take this possible issue into consideration and do some research to authenticate if the vulnerability does actually exist. I believe that would be the prudent thing to do!

 

Regards, Ritchie...

P.S. - That's one of the reasons why I don't keep all my eggs in the same basket so to speak. I use multiple layers of protection and don't rely on just Immunet or FireAMP Connector (which I'm currently using) to keep me safe.

[Sachin]

Thanks Ritchie,

 

Please let me know is there any plan to fix it as it is critical and compromising confidentiality ,Integrity, Availability. So will I wait for the fix and after patching the bug will disclose it publicly.

 

Thanks,

 

Sachin Wagh

[ritchie58]

I know from experience that software programs can sometimes manifest zero-day vulnerabilities. I use a program that monitors activity using multiple drives. As it turns out, at that time, the current version had a buffer overrun vulnerability in several dll files. The developers, of course, released a new bug-fix version to address the issue as soon as possible once the exploit was recognized. 

Since no one has reported any problems I do have to view this with a little bit of skepticism.

That's not to say that your post is not without merit. Like I said in the previous post it wouldn't be a bad idea to do some internal investigation by the powers that be to substantiate or deny these claims. 

 

Regards, Ritchie...

[chen]

I have sent a letter to Immunet development team, the following are Immunet development team Reply.

[We're currently looking into the DLL hijacking vulnerability, we'll report back with our findings soon]

[Sachin]

Thanks.

 

I will wait.

 

Please let me know if anything required from my side.

 

 

Thanks,

 

Sachin Wagh

[Sachin]

Hi Team, 

 

Any update on this.

 

 

Thanks,

 

Sachin Wagh

[ritchie58]

Hello ryuusei! Glad to hear from you again!

 

I agree with you Sachin, I would also like a definitive answer regarding this possible exploit!

 

There is a new 4.0 version due out soon so if a bug does exist that would be a "great" time to rectify the situation before the new roll-out takes place.

 

Regards, Ritchie...

[Sachin]

Hi Ritchie,

 

Attacker can exploit the vulnerability to load a DLL file of the attacker's choosing that could execute arbitrary code. 

 

I think in the POC video I shown execution of calc.exe through affected software. 

 

An attacker gain access to the system if attackers creates shell as a DLL instead of calc (dll) that i shown in the video.

 

If you are interested I will shown the same. How attacker will gain access to the system and control it. 

 

Thanks,

 

Sachin Wagh

[EugeneC]

Hi all,

 

Thank you to Sachin for bringing this to our attention. We take these vulnerabilities seriously and greatly appreciate your assistance in letting us know. Our development team is currently looking potential solutions, and we are hoping to get the fix in with the update for Immunet that Ritchie mentioned, which is currently scheduled to be released sometime in the next month or two.

 

If our team requires more assistance we will reach out to you via email.

 

Thanks again!

Eugene

[Sachin]

Hello,

 

I have send one mail on support@immunet.com nearly one day before regarding acknowledgement letter. Please revert back on same. 

 

Waiting for you reply.

 

 

Thanks,

 

Sachin Wagh

[fblais]

Was this fixed with the new beta (rev 5)?

[Sachin]

Hello,

 

I did not checked. Can you please provide the download link for same. So i can test it.

 

Thanks,

 

Sachin

[fblais]

The link is given on Immunet's homepage, but here it is:

https://download.immunet.com/binaries/immunet/bin/ImmunetSetup-5.0.0-beta.exe

 

Thanks!

[Sachin]

Thanks,

 

I will  test it. Is their any credit to me (Bounty/Swag).

 

Thanks.

[Master_Kaina]

Hello, I am new to the forums (I normally don't post to sites).
I felt compelled to go through the registration process here in order to post because I am very concerned. I was going to post this in a malware forum or something similar until I found this one potentially related. Please let me know if this belongs somewhere else (I am tempted to post this again in one of the other forums but I will give some time for a reply here before doing so).

I had multiple scans via Virus Total (was just checking all files in my downloads folder for safety before transferring them to a new computer) and it flagged the installation file ImmunetSetup-5.0.0.exe as a virus (file infector)! I then downloaded a new one with the same results for ImmunetSetup.exe! Unfortunately, I downloaded this program and installed it sometime ago on my laptop WITHOUT scanning it via online sites first (yes I know my fault - I only used AVG, Malwarebytes, and Spybot).
Invincea AV listed a virus.win32.sality.at found in the Immunet 5 installation file! The file is digitally signed by Sourcefire Inc. and was downloaded from Immunet's official site. I read that files could be attached to these posts but I am still not seeing that option here otherwise I would have attached both Immunet 5 installation files. I also do not see an option to upload the screenshot I took (only allows from a URL) but here is the link: https://www.virustotal.com/en/file/9a36e4cc9fc8810ecc8815a478370ef451f9c6603300e4b2067e79cfaaabd4ac/analysis/1473473393/.

Is this a false positive? If so, what measures will be taken to correct this? My research shows that the virus.win32.sality.at is EXTREMELY DANGEROUS!

Thank you in advance for addressing this issue.

Best Regards,
Mike

 

P.S.

I reposted this to the Issues/Defects forum here. It allowed me to attach the screenshots but not the actual Immunet 5 setup files.

 

P.P.S.

Ok so NOW it's showing me the "Full Editor" so I have attached the 2 screenshots (but I still cannot attach the Immunet 5 setup files).

 

 

 

P.P.P.S.

Here is the most recent one . . .

 

[yummy]

Thanks,

 

I will  test it. Is their any credit to me (Bounty/Swag).

 

Thanks.

 

 

Sachin, were you ever credited for this vuln? Did this have a happy ending? 

[ritchie58]

Hi yummy, there is a happy ending for this vulnerability! The Immunet team has just released a 6.0.6.10600 build that addresses & eliminates this installer vulnerability issue. The new build will be pushed to users through the UI or you can click on the link below to get the new bootstrapper installer. I had no issues updating from the 6.0.4 to the 6.0.6 build through the UI. I didn't even need to re-boot after updating, which was nice.

 

Here's a copy of what the Admin. KrisD posted in the Announcements section today:

We have released Immunet version 6.0.6. 

 

This release addresses a DLL hijacking vulnerability in the Immunet installer. We will provide more information about the vulnerability, including the CVE, after the official disclosure date.

 

Credit goes to Sachin Wagh (tiger_tigerboy, Wsachin092@gmail.com) for discovering this vulnerablity and bringing it to our attention.

 

As with other releases, this new version is available for download from https://www.immunet.com, as well as via the Immunet UI if you currently Immunet 6.0.0 or earlier installed.

 

The Immunet Protect team