redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
4 edits |  AVG updates grant full control to Everyone, changes owner?
I'm doing some auditing of permissions with AccessEnum, and was shocked to find out that my user was the owner of some of the files that belong to AVG, and that "Everyone" was set to Full Control. So I reset the permissions, and everything is set to \Program Files\ inheritance, and the owner back to "Administrator". Then I updated AVG. It changed "upd_vers.cfg" and "incavi.avm". I looked at them after the update, and sure enough I was the owner again and Everyone had Full Control.
The update service runs as SYSTEM, but so does Kaspersky's but Kaspersky 5 does not exhibit this behavior under a limited account. No permissions are changed in KAV.
I'm runnning:
AVG Free 7.1
XP Pro
limited account, NTFS
I don't know if the drivers for AVG in system32\drivers are affected, I hadn't checked, but more than likely they are. That is just asking for someone to replace one of AVG's sys files with a rootkit and launching at next boot..
EDIT: Added pics. These were all done in the context of a limited user (LowPriv).
Before updating:
Default Permissions
Default Owner
After updating:
Permissions after update
The limited user is now the owner, multiply this by a major AVG update...
Accounts:
Administrator: Administrator
Limited User: LowPriv |
|
toadlife
Premium
join:2004-05-03
Coalinga, CA
 ·AT&T Yahoo
| Bad developers!
Since AVG's developers seem to lack a clue, another thing to check for is weather or not AVG's tray icon (I assume it has one) is displayed by a service with SYSTEM rights. This opens the machine up to a shatter attack.
That's getting a little tinfoil hat-ish though. I've never heard of malware that actually used shatter attacks. |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA | reply to redxii
Not sure it matters (aside from a testing standpoint), but which version of AVG? (Free, trial, ???)
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA
| reply to redxii
Hmmm...well, I got the same thing on an MCE 2005 test install (with no subsequent OS/security updates) -- at least in terms of changing the security descriptors on those files (the .avg update files were also changed to be equally permissive).
(This is with the free edition, version 7.1.375a716.)
Unfortunately, some part of AVG also crashed and it began flagging some of its own files and some OS files as being infected. Going to have to retry now from the top to see if that was a transient.
--
Feedback? e-mail: stuff@lupwa.org |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
| reply to toadlife
That'd be avgcc.exe and it runs as the current user.
psloss, I already indicated that I was using 7.1 Free edition
I posted in the AVG forum and the best response so far was "Make sure it isn't conflicting with KAV." First of all, there was and is no KAV on the machine in the pics and on my computer. I have KAV on other machines.
If someone has an 7.0 setup file, please do send... |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
1 edit | 
Results for \WINDOWS |  |  | 
avg7core.sys | 
A limited account is owner of a driver..... |
Hopefully I am not the only one that sees a problem with this... |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA
| reply to redxii
said by redxii  :psloss, I already indicated that I was using 7.1 Free edition Sorry, went right over that in your original post. My bad.
Yeah, that's not good about the updater, although this type of escalation opportunity is still not at the top of the list in terms of taking over control of a Windows box these days.
A more interesting test would be to try to run this on the latest Vista CTP, though I don't know if AVG is compatible or not (i.e., will even install).
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
| said by psloss :Yeah, that's not good about the updater, although this type of escalation opportunity is still not at the top of the list in terms of taking over control of a Windows box these days. It's still an opportunity, and should be fixed. |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA
| said by redxii :said by psloss :Yeah, that's not good about the updater, although this type of escalation opportunity is still not at the top of the list in terms of taking over control of a Windows box these days. It's still an opportunity, and should be fixed. Absolutely agree; however, given that they already have code that appears to add an Everyone/Full Control ACE to DACLs of updated or downloaded files, I'm not sure how sensitive they're going to be to privilege escalation. Or, how expeditiously this will get fixed.
Somewhat randomly, this reminds me of a recent blog post about how terminal session separation in Vista is going to cause some consternation for NAV. For what it's worth, AVG Free installed on the February Vista CTP...but both attempts I made to open the command center caused the OS to bugcheck. Going to be an interesting year to see what happens to this category of consumer software.
Hopefully this issue will gain some traction at Grisoft and maybe the changes to Windows will increase the importance of scouring kludges like this out of their code.
--
Feedback? e-mail: stuff@lupwa.org |
|
Libra
Premium
join:2003-08-06
USA
| reply to redxii
Hi RedXII1234,
I'm not comfortable going into safe mode to look at those permissions, but I have AVG7.1 free on my daughter's computer and one time, in a limited account, I tried to delete a WMF test item from the vault, and I wasn't able to. I also tried to change the results of a scan to accept an item "changed", and I couldn't do that either. Based on that I didn't think the limited user had rights. When I tried to make one of those changes I got this error in the Event Viewer:
Source: AVG
Category: error
Event ID # 100
AVG7.CC plugins.CPluginManager action running failed. Error 0x80004004.
Is there a way for you to get this information to Grisoft? I don't think he visits the AVG forum.
Sincerely, Libra
|
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX
Host:
/dev/null
Broadband Tweaks
ISDN
Fiber Optic
AOL Broadband
| In a command prompt: cacls <filenameordirectory>
I am probably falling on deaf ears unless I were a paying customer... In the mean time, thinking about all those other AVG users who even if they are limited users have absolutely no idea... |
|
Joe12345678
join:2003-07-22
Des Plaines, IL | reply to redxii
is just free AVG free? if this is this may just be a way to not used for free on non home systems and they assume that all home uses are admin. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Austin, TX | Pro does it too. |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA | Yeah, this looks like a showstopper for me right now...although I don't know what I'd recommend as an alternative.
Thanks for bringing this to our attention.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country! | reply to redxii
Darn, I just suggested AVG pro to a friend/customer with a half dozen or so systems. I need to tell him to hold off until this is resolved.
--
Insert catchy sig line here |
|
Libra
Premium
join:2003-08-06
USA
| reply to redxii
said by redxii :In a command prompt: cacls <filenameordirectory> I don't think I can do cacls on XP Home (but I haven't tried).
Should we be changing to a different AV?
Sincerely, Libra |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to psloss
said by psloss :Yeah, this looks like a showstopper for me right now...although I don't know what I'd recommend as an alternative. Avast! me 'arties! |
|
psloss
Premium,MVM
join:2002-02-24
Alpharetta, GA
| said by hpguru :Avast! me 'arties! (Why am I thinking of Yosemite Sam talking to Bugs Bunny?..."I've got you outnumbered, one to one. Come out and meet your doom.")
Setup program is downloaded and a little evaluation is on my todo list.
It does appear that non-admin accounts can perform the workaround that redxii noted earlier of resetting the parts of the file permissions that are being changed (owner) and made too permissive (discretionary ACL), since "full control" includes WRITE_DAC and WRITE_OWNER.
Although looking at redxii 's screenshots, it still looks like kind of a mess in AVG's Program Files subdirectory...resetting individual files to inherit their permissions is more precise and more tedious. And propagating inheritance down from the containing directory might change something that was set explicitly (for a better reason than this, I hope  ).
I think I'll start with testing the software with the eye patch first...
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
dp
Premium,MVM
join:2000-12-08
Greensburg, PA | reply to redxii
I've emailed Grisoft and asked them to view this thread. Hopefully they will address this issue promptly. |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to psloss
said by psloss :said by hpguru :Avast! me 'arties! (Why am I thinking of Yosemite Sam talking to Bugs Bunny?..."I've got you outnumbered, one to one. Come out and meet your doom.") Setup program is downloaded and a little evaluation is on my todo list. LOL! 
On second thought, Avast! may have the same issue but I couldn't say it changes the default permissions since I have it installed in a folder on another partition with custome perms. It did however change the perms for the subfolders under D:\Program Files\Alwil Software\Avast4\DATA giving Everyone full control.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
