Avast - Premium Security
21.11.2500 (build 21.11.6809.528)
"instup.exe" and "wsc_proxy.exe"
It was noted that there is security checking to prevent some of the Avast processes from loading of undesired/unsigned DLLs via DLL hijacking attack.
However, It was noted that there are two Avast processes "instup.exe" and "wsc_proxy.exe" which are vulnerable to DLL hijacking vulnerability. These processes will attempt to load an non-existing DLL while calling "REPAIR APP" function. Due to the lack of security checking while loading the DLL, attackers who have administrative privilege could drop a malicious DLL on a dedicated location and get it loaded by the affected Avast processes.
Since those vulnerable components are Avast protected processes, attacker could inject malicious code to control the Avast protected processes for malicious purposes such as deactivating the antivirus and staging malware.
The vulnerability allows an attacker with administrative privilege to execute malicious code within Avast process, terminate the Avast antivirus regardless of "Self-Defense" protection and cause DOS to the affected system.
This vulnerability is patched since Avast Premium Security 22.2.
20-01-2022 Vulnerability reported to Avast.
11-02-2022 Avast confirmed the vulnerability and released a patch for the product.