F-Secure antivirus with a vulnerability that allows code execution of a crafted RAR archive

Windows is designed in such a way that anti-viruses (Windows Defender too) for effective detection and blocking of malware require system privileges because they would not be able to access memory and services and programs running with administrator privileges. And without the highest privileges, the detection of dangerous code would be very low.

Blunders from time to time happen the best. In January 2018, we paid attention to a small anti-virus apocalypse . Among the vulnerable antiviruses there was no Windows Defender, but you did not have to wait long for a serious vulnerability to be found in the Microsoft product . Now, with F-Secure products for businesses and home users, it's much the same , as the 7-Zip (CVE-2018-10115) exploit has been shown that allowed remote code execution in the F-Secure antivirus.

F-Secure antivirus with a vulnerability

Recently, a popular vulnerability vulnerability CVE-2018-10115 has been found in popular 7-Zip compression software that allows remote code execution with administrator privileges after unpacking a crafted RAR archive. Version 18.05 7-Zip is already patched, but vulnerability can affect other software that processes archives - e.g. anti-viruses. Although the susceptibility of 7-Zip is directly related to F-Secure products, their use is much more difficult due to the ASLR mechanism used in antivirus protection against exploiting the vulnerability. A random allocation of address space (ASLR) means, for example, buffer overflow or RCE overflow. ASLR is used to auto-protect antivirus processes and Microsoft systems from Windows Vista.

The presented video uses 7-Zip version 18.01 x64 and Windows 10 Redstone 4 (RS4, Build 17134.1). The author has prepared a website with a specially crafted file that is processed by F-Secure. PoC is available on this video .

F-Secure antivirus with a vulnerability

As a result, the anti-virus engine ( fshoster64.exe ) running with NT AUTHORITY\SYSTEM permissions causes that after scanning the HTTP resource, the exploit runs notepad.exe (also with the highest possible permissions). In a real attack notepad.exe can be replaced with any file.

The vulnerability in F-Secure anti-viruses was reported at the beginning of March 2018, and 2 months later the manufacturer released the update. We recommend that users of F-Secure products for business and home should make sure that they use the latest versions of programs.

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.