Home

Awesome

AVPWN

List of real-world threats against endpoint protection software - For future reference. The list is based on public information and thus is obviously incomplete.

The list should include:

The list doesn't include:

The List

NameLinkInternal IDServer SideClient SideKnown Incident
avast! Local Information Disclosurehttps://wikileaks.org/hackingteam/emails/emailid/4544113-00501Brokered
avast! Local Privilege Escalationhttps://wikileaks.org/hackingteam/emails/emailid/4544113-01001Brokered
McAfee ePolicy Orchestrator Privileged Remote Code Executionhttps://wikileaks.org/hackingteam/emails/emailid/4544113-01910Brokered
McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code Executionhttps://wikileaks.org/hackingteam/emails/emailid/4544113-02310Brokered
McAfee ePolicy Orchestrator Post-Auth Privileged Remote Code Executionhttps://wikileaks.org/hackingteam/emails/emailid/4544113-02410Brokered
ESET NOD32 Antivirus and ESET Smart Security Remote Pre-auth Code Executionhttps://wikileaks.org/hackingteam/emails/emailid/454412010-002101Brokered, Sold
Symantec AntiVirus Remote Stack Buffer Overflowhttp://www.securityfocus.com/news/11426CVE-2006-263001Exploited ItW
McAfee Stinger Portable DLL Sideloadinghttps://wikileaks.org/ciav7p1/cms/page_27492400.htmlFine Dining01CIA collection
Sophos Virus Removal Tool DLL sideloadinghttps://wikileaks.org/ciav7p1/cms/page_27263043.htmlFine Dining01CIA collection
Kaspersky TDSS Killer Portable DLL Sideloadinghttps://wikileaks.org/ciav7p1/cms/page_27492393.htmlFine Dining01CIA collection
ClamWin Portable DLL Hijackhttps://wikileaks.org/ciav7p1/cms/page_27262995.htmlFine Dining01CIA collection
Kaspersky ?? SUID command injectionhttps://hackmd.io/s/r1gLMUUpxevolvingstrategy01EQGRP exploit leaked by Shadow Brokers
Symantec rastlsc.exe DLL side-loadinghttps://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdfOceanLotus01ESET report
Trend Micro Office Scan server ZIP path traversalhttps://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/CVE-2019-1818710Mitsubishi Electric
Trend Micro Apex One and OfficeScan migration tool RCEhttps://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338 https://success.trendmicro.com/solution/000245571 https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-inCVE-2020-846710N/A
Trend Micro Apex One and OfficeScan content validation escapehttps://www.darkreading.com/vulnerabilities---threats/trend-micro-patches-two-zero-days-under-attack/d/d-id/1337338 https://success.trendmicro.com/solution/000245571 https://www.tenable.com/blog/cve-2020-8467-cve-2020-8468-vulnerabilities-in-trend-micro-apex-one-and-officescan-exploited-inCVE-2020-846801N/A
Windows Defender buffer overflowhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647CVE-2021-164701Exploitation was detected before fix was released. Snort rules detect shellcode. May be related to the SolarWinds breach (although this remark was deleted from ZDI's original post)
Trend Micro Apex One Improper Access Control Privilege Escalationhttps://www.zerodayinitiative.com/advisories/ZDI-20-1094/CVE-2020-2455701https://therecord.media/nightmare-week-for-security-vendors-now-a-trend-micro-bug-is-being-exploited-in-the-wild/ (unclear if exploitation happened before or after vendor was notified about the bug)
Trend Micro Apex One Local Privilege Escalation and Arbitrary File Uploadhttps://success.trendmicro.com/solution/000287819CVE-2021-36742 CVE-2021-3674111https://therecord.media/hackers-tried-to-exploit-two-zero-days-in-trend-micros-apex-one-edr-platform/
Trend Micro Apex Central Arbitrary File Upload RCEhttps://success.trendmicro.com/dcx/s/solution/000290678?language=en_USCVE-2022-2687110https://twitter.com/GossiTheDog/status/1510901921657331716
eScan insecure update MitM leads to RCEhttps://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/N/A01https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/

Immortal exploits

The following list contains exploits of "immortal" vulnerabilities - ones that for some reason can't be fixed by the vendor.

NameLinkInternal IDServer SideClient SideKnown Incident
Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalationhttps://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html https://twitter.com/cherepanov74/status/762654147841781760N/A01Remsec / Cremes malware
Agnitum Sandbox.sys Kernel Driver Arbitrary DLL Loadinghttps://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-agnitum-driver.html https://twitter.com/cherepanov74/status/762654147841781760N/A01Remsec / Cremes malware
AvosLocker Ransomware Variant Abuses Avast Driver File (asWarPot.sys) to Disable Anti-Virus [1]https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/BURNTCIGAR01AvosLocker, Cuba
Zemana AntiMalware/AntiLogger Driver to Disable Anti-Virus [1]https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/Terminator01SpyBot
Panda Memory Access Driver multiple vulnerabilitieshttps://news.sophos.com/en-us/2024/01/25/multiple-vulnerabilities-discovered-in-widely-used-security-driver/CVE-2023-6330, CVE-2023-6331, CVE-2023-633201Red Team used 0-day
Avast Anti-Rootkit driver abuse for process termination [1]https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/N/A01Unspecified malware

[1] Abuse of legitimate functionality, admin->kernel is not a security boundary

Honorable mentions