内容简介:The main Avast antivirus process is called AvastSvc.exe, which runs as SYSTEM.That service loads the low level antivirus engine, and analyzes untrusted data received from sources like the filesystem minifilter or intercepted network traffic.
Avast Antivirus JavaScript Interpreter
The main Avast antivirus process is called AvastSvc.exe, which runs as SYSTEM.
That service loads the low level antivirus engine, and analyzes untrusted data received from sources like the filesystem minifilter or intercepted network traffic.
Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.
So.. maybe not great that it includes a custom JavaScript interpreter....????
This repository contains an interactive shell that lets you test the interpreter on Linux for vulnerability research.
Building
Here's how to try it out, first install the dependencies.
Ubuntu
$ sudo apt install libreadline-dev:i386 libc6-dev-i386 gcc-multilib
Fedora
$ sudo yum install readline-devel.i686 glibc-devel.i686 libgcc.i686
Now you can clone this repository.
$ git clone https://github.com/taviso/avscript.git $ cd avscript $ git submodule update --init --recursive
If everything looks good, build it and avscript
should be ready.
$ make
Notes
Reproducing Vulnerabilities on Windows
For performance reasons, Avast do not interpret every JavaScript file they encounter, they use a heuristic to determine if it's necessary. I've found that appending the file javascript.txt
included in this repository is enough to always trigger the heuristic.
For example, if you have found a vulnerability and want to reproduce it on Windows, you would first do this:
$ cat yourtestcase.js javascript.txt > ReproForWindows.js
Now verify that it still does what you expect, e.g.
$ ./avscript ReproForWindows.js main(): File ReproForWindows.js` loaded, about to initialize interpreter... Segmentation fault (core dumped)
Then verify the crash reproduced on Windows.
Protected Process
The Avast service is a protected process, which means debugging it from userspace is tricky. If you have kd configured, you can simply undo this and then debugging in userspace works fine.
A quick and easy solution that works on 32-bit is to do this (note that PatchGuard won't permit this on x64, but you can do something similar with breakpoint commands ).
There is also a setting under "Troubleshooting" called "Enable Self-Defense" that should be disabled. I believe this setting disables hooking OpenProcess()
in the SSDT, where they normally blacklist their own process.
You may need to temporarily disable "shields" in the Avast UI while you attach so that filesystem operations don't deadlock while the service is suspended.
Debugging
Avast does not publish any symbols for their engine, but debugging with IDA or gdb is still possible. There are some notes on debugging Windows code from Linux in the loadlibrary documentation .
If you want to use IDA, I would recommend using the gdbserver
backend.
Simply use something like this, you might need to intall the gdbserver package first:
$ gdbserver 0.0.0.0:23946 ./avscript
This works surprisingly well, even pseudocode breakpoints work.
Vulnerabilities
If you find a vulnerability, it is likely critical and wormable .
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
白话机器学习算法
[新加坡] 黄莉婷、[新加坡] 苏川集 / 武传海 / 人民邮电出版社 / 2019-2 / 49.00元
与使用数学语言或计算机编程语言讲解算法的书不同,本书另辟蹊径,用通俗易懂的人类语言以及大量有趣的示例和插图讲解10多种前沿的机器学习算法。内容涵盖k均值聚类、主成分分析、关联规则、社会网络分析等无监督学习算法,以及回归分析、k最近邻、支持向量机、决策树、随机森林、神经网络等监督学习算法,并概述强化学习算法的思想。任何对机器学习和数据科学怀有好奇心的人都可以通过本书构建知识体系。一起来看看 《白话机器学习算法》 这本书的介绍吧!