Avira.com SQL Injection and Security Filter Bypassing

Cyber Security Analyst Ebrahim Hegazy has found an Avira.com SQL Injection vulnerability, Avira.com is the famous Avira Antivirus vendor’s web site.

Ebrahim Hegazy(@Zigoo0) Cyber Security Analyst Consultant @ Q-CERT who found a SQL Injection in Yahoo! about two months ago, has found a new SQL Injection vulnerability in Avira.com the famous Avira Antivirus vendor. The Avira.com SQL Injection allows remote attackers to inject own SQL commands to breach the database of Avira.com vulnerable application and get access to the user data or other data stored in inside the Database.

Zigoo0 succeeded to bypass the filter used in Avira.com website to block SQL Injection discovery attempts.

“When I try to manipulate the parameters by adding ‘ Single Qution to the Parameter value to figure out if the parameter is vulnerable to SQLI or no, I got redirected to the main page(filter detection), So I tried the back-slash instead \ and it works with an SQL error appeared. It means that the filter used to block SQL Injection discovery attempts is not behavior based filter but is a black/white word list based!” Zigooo revealed.

Zigoo0 sent me a video as a Proof of concept for the Avira.com SQL Injection vulnerability:

The time line for the Avira.com SQL Injection vulnerability is:

2013-05-25:    Vendor Notification
2013-05-31:    Vendor Fix/Patch

I decided to publish the news despite the Avira.com SQL Injection vulnerability has been fixed for two main reasons:

First I desire to highlight the prompt reply of Avira firm that fixed the flaw in a few days, this is not common as demonstrated by recent events and data breaches.

Second we must consider that  SQL Injection vulnerabilities are responsible for a meaningful portion of observed attacks and the security teams and system administrators have to consider this category of vulnerabilities with great attention.

To have an idea of the number of attacks that exploit this kind of flaw I propose an interesting statistics published on Hackmageddon.com web site and related to the period Gen-May 2013.

“The Distribution of Attack Techniques assigns to the SQL injection the crown of the most used weapon for the month of May. DDoS is “only” at the third place with the half of occurrences. It is interesting to notice the high rate of attacks made by mean of account hijacking, at number four with the 12% of occurrences. a clear consequence of the long trail of high-profile attacks perpetrated by the Syrian Electronic Army.”

Pierluigi Paganini

(Security Affairs –  Avira.com SQL Injection)