Researchers Turn Antivirus Software Into Destructive Tools

A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal.

Most antivirus software performs a “real time scan” of unknown files saved to disk and, if considered suspicious, these files are either moved to a secure location to be quarantined, or deleted from the system.

The issue, the researchers say, resides in the fact that there’s a small time window between the file scan and the cleanup operation, and that almost all antivirus software performs operations with the highest level of authority within the operating system.

“Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions,” RACK911 Labs notes.

In the aforementioned time window between the antivirus’ scan and the cleanup operations, a malicious local user or a piece of malware may be able to perform a race condition abusing the privileged file operations to either disable the system’s security protections or interfere with the operating system.

The attack, the researchers say, can be performed via a directory junction in Windows, or through a symlink in Linux and macOS.

Exclusive to Windows, the directory junction links two local system directories together, can be performed by any user, and does not require administrator level privileges. Thus, an attacker can easily leverage it when exploiting the antivirus on Windows.

On Linux and macOS, a symlink, or “symbolic link,” is a shortcut where one file points to another file, and can be performed by any unprivileged user. While such links exist in Windows too, they require higher privileges on this operating system.

“In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS,” RACK911 Labs says.

The researchers also reveal that, in some cases, they identified file permission and ownership changes that could have allowed for privilege escalation.

The identified flaws, which were found to impact almost all antivirus software out there, are rather trivial to exploit, “and seasoned malware authors will have no problem weaponizing the tactics outlined,” RACK911 Labs claims.

What an attacker would need to figure out is the precise timing of the directory junction or symlink operation. However, the researchers say that figuring out the correct timing should be easy for a local malicious user.

“In some of the antivirus software that we exploited, timing wasn’t important at all and a simple loop statement of running the exploit over and over was all that was needed to manipulate the antivirus software into self-destructing,” the researchers note.

RACK911 Labs, which published proof of concept for both attack scenarios, as well as a list of antivirus programs that were tested and found vulnerable, says that it started notifying vendors in the fall of 2018, and that most of them patched their products, with only a few exceptions.

“It’s now spring of 2020 and every antivirus vendor that we have contacted has had at least 6 months to fix the security vulnerabilities, we feel the time is right to bring our research to the public. […] It’s our hope that antivirus vendors will rethink how file operations take place under user accessible directories. Whether it’s Windows, macOS or Linux, it’s extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place,” RACK911 Labs concludes.

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Related: Vulnerability Prompts Avast to Disable Emulator Used by Antivirus

Related: Vulnerability in McAfee Antivirus Products Allows DLL Hijacking