What if I told you that the only function of one of the trusted digitally signed anti-virus software components is to collect all your credentials stored in popular Internet browsers? And if I say that it does not matter to him in whose interests to collect them? You probably think I'm delusional. Let's see how it really is, shall we?
We understand
Live and live such an anti-virus company as . It produces various products related to information security. They even have free products for home use.
Let's set ourselves interest for the sake of the free version, see what the product of German colleagues can do. We glance at the interface - nothing unusual. We do not find any mention of another of the company's products - Avira Password Manager.
And let's take a look at the component with an unobtrusive name "Avira.PWM.NativeMessaging.exe"? It is compiled for the .NET platform and not obfuscated in any way, so we load it into dnSpy and freely study the program code.
The program is a console program and it expects commands on standard input. Main function with "ReadΒ» reads data from the stream, checks the format and passes the command to the function Β«ProcessMessage". The same, in turn, checks that the passed command is "fetchChromePasswords"Or"fetchCredentials" (although what difference does it make if the further behavior is the same?) and then the fun begins - calling the function "RetrieveBrowserCredentials". It's even interesting ... what can a function with that name do?
Yes, nothing unusual, it simply collects into one list all the user accounts saved by him when working with the Internet browsers "Chrome", "Opera" (based on Chromium), "Firefox" and "Edge" (based on Chromium) and returns the data as a JSON object.
Well, then it prints the collected data to the console:
The essence of the problem
- The component collects user credentials;
- The component does not verify the calling program (for example, by the presence of a digital signature of the manufacturer itself);
- The component has a "trusted" digital signature and does not arouse suspicion among other anti-virus software manufacturers;
- The component works as a standalone application.
IoC
SHA1: 13c95241e671b98342dba51741fd02621768ecd5.
CVE-2020-12680 has been opened for this issue.
On 07.04.2020/XNUMX/XNUMX, I sent a letter about this problem to [email protected] ΠΈ [email protected] with full description. There were no response letters, including from automatic systems. A month later, the described component is still distributed in the Avira Free Antivirus distribution.
Source: habr.com