Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Researchers Turn Antivirus Software Into Destructive Tools

A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal.

A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal.

Most antivirus software performs a “real time scan” of unknown files saved to disk and, if considered suspicious, these files are either moved to a secure location to be quarantined, or deleted from the system.

The issue, the researchers say, resides in the fact that there’s a small time window between the file scan and the cleanup operation, and that almost all antivirus software performs operations with the highest level of authority within the operating system.

“Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions,” RACK911 Labs notes.

In the aforementioned time window between the antivirus’ scan and the cleanup operations, a malicious local user or a piece of malware may be able to perform a race condition abusing the privileged file operations to either disable the system’s security protections or interfere with the operating system.

The attack, the researchers say, can be performed via a directory junction in Windows, or through a symlink in Linux and macOS.

Exclusive to Windows, the directory junction links two local system directories together, can be performed by any user, and does not require administrator level privileges. Thus, an attacker can easily leverage it when exploiting the antivirus on Windows.

Advertisement. Scroll to continue reading.

On Linux and macOS, a symlink, or “symbolic link,” is a shortcut where one file points to another file, and can be performed by any unprivileged user. While such links exist in Windows too, they require higher privileges on this operating system.

“In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS,” RACK911 Labs says.

The researchers also reveal that, in some cases, they identified file permission and ownership changes that could have allowed for privilege escalation.

The identified flaws, which were found to impact almost all antivirus software out there, are rather trivial to exploit, “and seasoned malware authors will have no problem weaponizing the tactics outlined,” RACK911 Labs claims.

What an attacker would need to figure out is the precise timing of the directory junction or symlink operation. However, the researchers say that figuring out the correct timing should be easy for a local malicious user.

“In some of the antivirus software that we exploited, timing wasn’t important at all and a simple loop statement of running the exploit over and over was all that was needed to manipulate the antivirus software into self-destructing,” the researchers note.

RACK911 Labs, which published proof of concept for both attack scenarios, as well as a list of antivirus programs that were tested and found vulnerable, says that it started notifying vendors in the fall of 2018, and that most of them patched their products, with only a few exceptions.

“It’s now spring of 2020 and every antivirus vendor that we have contacted has had at least 6 months to fix the security vulnerabilities, we feel the time is right to bring our research to the public. […] It’s our hope that antivirus vendors will rethink how file operations take place under user accessible directories. Whether it’s Windows, macOS or Linux, it’s extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place,” RACK911 Labs concludes.

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Related: Vulnerability Prompts Avast to Disable Emulator Used by Antivirus

Related: Vulnerability in McAfee Antivirus Products Allows DLL Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.