CVE-2019-11230

Avast Antivirus Local DOS

A bug in Avast Antivirus (fixed in v19.4) allows an attacker with local administrator privileges to cause Avast to fail to start. Avast can be tricked into renaming any of its files by replacing a log file with a symlink pointing to an Avast file. The next time Avast attempts to write to the log file, the target of the symlink is renamed. This defect can be exploited to rename critical binaries such as “AvastSvc.exe”, causing Avast to fail to start on the next system restart. This vulnerability bypasses Avast’s ‘self-defense’ mechanism which prevents administrators from tampering with critical Avast files.

Exploitation

The log file “C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs\Update.log” is not protected by Avast’s self-defense module, which allows a local administrator to replace this file with a symlink. We can open an elevated command prompt and run the following commands:

cd "C:\ProgramData\AVAST Software\Persistent Data\Avast\Logs"
del Update.log
mklink Update.log "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"

The next time Avast updates, AvastSvc.exe will be renamed. You can force this through clicking “Update” in the UI.
The next time you reboot Avast will fail to start, allowing an attacker to run post exploitation scripts without fear of detection.

Disclosure Timeline

Disclosed to vendor: 13/11/2018
Partial fix released in version 19.1: 4/1/2019
Full fix released in version 19.4: 9/4/2019

Written on June 27, 2019