Researchers uncovered a easy vulnerability that existed in almost 28 Antivirus software that permits malware authors to exploit the system and disable the Antivirus software additionally flip them into self-destructive tools. The bug abusing the directory junctions (Windows) and symlinks (macOS & Linux) operation and used it to carry out this exploitation.
A directory junction is unique to Windows and might solely link two directories collectively; It can only link files and the directories have to be local to the file system.
There isn’t any admin privilege required to exploiting antivirus software that operating beneath the Windows operating system. A symlink Also referred to as as symbolic link is often used inside Linux and macOS. Symlink is a sort of file that factors to a different file.
Using each methods, the flaw leverages the privileged file operations to disable the antivirus software or intervene with the operating system to render it ineffective, and so on.
Basically, Antivirus will run within the computer systems with excessive privileged state and gaining the very best degree of authority to scan all of the files and directories to find the unknown and malicious files plus quarantined and moved to the remoted environment.
Due to this nature of the Antivirus, it opens to a variety of vulnerabilities and varied race circumstances. Eventually, it permits attackers to realize the high-level privilege of vulnerable programs.
Exploitation and Impact
The Exploitation work is straightforward and the expertise malware authors can simply exploit the flaw. however it’s extremely time-sensitive and import to determine when to performing the directory junction or symlink.
A local attacker who can try to escalate the privilege would be capable of find out the right timing to exploit the flaw.
According to the rack911labs report, “In some of the antivirus software that we exploited, the timing wasn’t important at all and a simple loop statement of running the exploit over and over was all that was needed to manipulate the antivirus software into self-destructing. One second too early or one second too late and the exploit will not work.”
Exploiting Windows (PoC Video)
Researchers tried the exploitation process towards McAfee Endpoint Security for Windows using their proof-of-concept, they usually had been in a position to delete the EpSecApiLib.dll file.
“In our testing, we were able to delete any file that was not currently in use including the ability to interfere with the antivirus operations itself”, researchers mentioned.
rd /s /q C:UsersUserDesktopexploit
echo X5O!P%%@AP[4PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > C:UsersUserDesktopexploitEpSecApiLib.dll
rd /s /q C:UsersUserDesktopexploit
mklink /J C:UsersUserDesktopexploit “C:Program Files (x86)McAfeeEndpoint SecurityEndpoint Security Platform”
Exploiting macOS & Linux (PoC Video)
Researchers used their PoC exploit against Norton Internet Security for macOS and downloads the EICAR test-string from Pastebin to bypass real-time protection that leads to preventing the Antivirus to download the test-string from the Norton official website.
While downloading the test-string from Pastebin, the Antivirus immediately detects it as malware and attempt to clean up.
Researchers said ” we were able to identify an approximate delay of 6-8 seconds that allows a race condition to occur that can result in a symlink attack causing any file to be removed due to the fact that the software runs as root.”
Poc Exploit code for MacOS
rm -rf /Users/Username/exploit ; mkdir /Users/Username/exploit
curl -k https://pastebin.com/raw/jZJ6Ekzt > /Users/Username/exploit/passwd
rm -rf /Users/Username/exploit ; ln -s /and so on /Users/Username/exploit
This Proof-of-concept additionally works for some Linux antivirus software and the researchers had been in a position to delete essential files that may have rendered the antivirus software.
All the affected Anti-Virus distributors are individually confirmed and nearly each antivirus vendor talked about on this page is now patched. Users are beneficial to use the newly launched patch for the respect Antivirus software that you simply are put in in your computer.