Avira Internet Security System Speedup Insecure Deserialization Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing insecure deserialization of untrusted data has been identified in the Avira Internet Security suite, specifically within the System Speedup component. The issue arises in the process 'Avira.SystemSpeedup.RealTimeOptimizer.exe', which operates with SYSTEM privileges. This process deserializes data from a file located in 'C:\ProgramData\Avira\SystemSpeedup\temp_rto.dat' using the .NET 'BinaryFormatter', without any input validation or safeguards against malicious data. Since the file can be created or modified by local users under default configurations, an attacker could craft a serialized payload that, when deserialized by the privileged process, leads to arbitrary code execution with SYSTEM rights.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with arbitrary code execution as the SYSTEM user.

Reproduction

The vulnerability can be reproduced by enabling the 'Performance Booster' feature in the Avira Internet Security System Speedup module. Once this feature is active, the 'RealTimeOptimizer' process will run with SYSTEM privileges and access the 'temp_rto.dat' file. An attacker can then replace this file with a crafted payload that exploits the insecure deserialization, leading to code execution as SYSTEM.

Remediation

Users can update to Avira Internet Security version 1.1.114.3113 or later, where this vulnerability has been fixed.