Hi, guys! Hope y’all are doing well. The number of COVID-19 cases is increasing dramatically all of a sudden. So, stay safe and stay indoors as much as possible!
In today’s blog, we’re going to see how the famous antivirus technology that is supposed to keep the bad guys away, ironically, becomes the weak point that exposes computers due to the flaws it has. Many popular antivirus solutions are mentioned with regards to these security vulnerabilities.
Researchers say that these security flaws have the capability to empower hackers to elevate their privileges, which results in aiding the malware to assert its footing on the compromised systems.
Now that we understand the seriousness of these security flaws found in popular antivirus solutions, let’s get into the details!
What is the base problem?
Antivirus and anti-malware products normally come with high privileges to go about their operations. According to a report published by CyberArk researcher Eran Shimony, these high privileges are what make these solutions more vulnerable to exploitation via file manipulation attacks, in which a malware gains elevated permissions on the system.
Impacted big names?
Among the wide range of antivirus solutions affected by these bugs are:
- Check Point
- Trend Micro
- Microsoft Defender
These bugs are said to be fixed by the respective vendor.
Figure 1: Antivirus solutions and their respective vulnerabilities
What can these vulnerabilities do?
The 2 most dangerous actions these vulnerabilities can perform are:
- Deleting files from arbitrary locations, allowing the attacker to delete any file in the system
- Corrupting files (file corruption vulnerability) that permits a bad actor to eliminate the content of any file in the system
CyberArk says these bugs are the consequence of default DACLs (Discretionary Access Control Lists) for the "C:\ProgramData" folder of Windows, which are by applications to store data for standard users without requiring additional permissions.
Given that every user has both write and delete permission on the base level of the directory, it raises the likelihood of a privilege escalation when a non-privileged process creates a new folder in "ProgramData" that could be later accessed by a privileged process.
Different scenarios tested out by the researchers
When exploring the vulnerabilities, researchers observed 2 completely different processes - one privileged and the other running as an authenticated local user - shared the same log file. This allows an attacker to take advantage of the privileged process to delete the file and create a symbolic link that would point to any desired arbitrary file with malicious content.
In another scenario, CyberArk went about figuring out the possibility of the creation of a new folder in "C:\ProgramData" before a privileged process is even executed. This brought them to a new discovery. They found that when McAfee antivirus installer is run after creating the "McAfee" folder, the standard user has full control over the directory. This, in return, allows the local user to gain elevated permissions by performing a symlink attack.
Symlink attacks are a new type of method for exploiting websites. The attack relies on creating a “shortcut” folder from the web server user directory to the web server’s root directory. The theory of the attack is explained along with a practical example of its use and methods for prevention.
For those who would like to know more about Symlink attack and do a hands-on tutorial, here’s a useful resource.
Besides all of these, a DLL Hijacking flaw in Trend Micro, Fortinet, and other antivirus solutions was discovered. This flaw, upon successful exploitation, will allow an attacker to place a malicious DLL file into the application directory and elevate privileges.
DLL Hijacking is a way for attackers to execute unexpected code on your machine. This means that if an attacker can get a file on your machine (by social engineering, remote control, etc.) that file could be executed when the user runs an application that is vulnerable to DLL Hijacking.
So, what is CyberArk saying about these vulnerabilities?
CyberArk stresses that access control lists should be strict to prevent arbitrary delete vulnerabilities as well as the importance of updating the installation frameworks to mitigate DLL Hijacking attacks.
CyberArk researchers say:
"The implications of these bugs are often full privilege escalation of the local system. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization."
Although these problems have already been addressed by the respective vendors, CyberArk’s reports serve as a stinging reality check that even software that is meant to defend and protect users, such as antivirus solutions, can act as a channel that can aid attackers with their malicious intents, if they have security weaknesses attached to them.
That’s it for the blog today, y’all! I hope my non-technical readers found the additional notes I made for them useful. Feel free to drop comments and share this blog if you found it interesting.
Stay safe and stay tuned.
Until next time, friends!
Credits: The Hacker News