Description
It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.
However, It was noted that there are two Avast processes “instup.exe” and “wsc_proxy.exe” which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL while calling “REPAIR APP” function. Due to the lack of security checking while loading the DLL, attackers who have administrative privilege could drop a malicious DLL on a dedicated location and get it loaded by the affected Avast processes.
Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.
