Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Researchers Turn Antivirus Software Into Destructive Tools

A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal.

A vulnerability impacting nearly all antivirus products out there could have been exploited to disable anti-malware protection or render the operating system unusable, RACK911 Labs security researchers reveal.

Most antivirus software performs a “real time scan” of unknown files saved to disk and, if considered suspicious, these files are either moved to a secure location to be quarantined, or deleted from the system.

The issue, the researchers say, resides in the fact that there’s a small time window between the file scan and the cleanup operation, and that almost all antivirus software performs operations with the highest level of authority within the operating system.

“Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions,” RACK911 Labs notes.

In the aforementioned time window between the antivirus’ scan and the cleanup operations, a malicious local user or a piece of malware may be able to perform a race condition abusing the privileged file operations to either disable the system’s security protections or interfere with the operating system.

The attack, the researchers say, can be performed via a directory junction in Windows, or through a symlink in Linux and macOS.

Exclusive to Windows, the directory junction links two local system directories together, can be performed by any user, and does not require administrator level privileges. Thus, an attacker can easily leverage it when exploiting the antivirus on Windows.

On Linux and macOS, a symlink, or “symbolic link,” is a shortcut where one file points to another file, and can be performed by any unprivileged user. While such links exist in Windows too, they require higher privileges on this operating system.

“In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS,” RACK911 Labs says.

The researchers also reveal that, in some cases, they identified file permission and ownership changes that could have allowed for privilege escalation.

The identified flaws, which were found to impact almost all antivirus software out there, are rather trivial to exploit, “and seasoned malware authors will have no problem weaponizing the tactics outlined,” RACK911 Labs claims.

What an attacker would need to figure out is the precise timing of the directory junction or symlink operation. However, the researchers say that figuring out the correct timing should be easy for a local malicious user.

“In some of the antivirus software that we exploited, timing wasn’t important at all and a simple loop statement of running the exploit over and over was all that was needed to manipulate the antivirus software into self-destructing,” the researchers note.

RACK911 Labs, which published proof of concept for both attack scenarios, as well as a list of antivirus programs that were tested and found vulnerable, says that it started notifying vendors in the fall of 2018, and that most of them patched their products, with only a few exceptions.

“It’s now spring of 2020 and every antivirus vendor that we have contacted has had at least 6 months to fix the security vulnerabilities, we feel the time is right to bring our research to the public. […] It’s our hope that antivirus vendors will rethink how file operations take place under user accessible directories. Whether it’s Windows, macOS or Linux, it’s extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place,” RACK911 Labs concludes.

Related: Antivirus Vendors Patch Bug First Discovered 10 Years Ago

Related: Vulnerability Prompts Avast to Disable Emulator Used by Antivirus

Related: Vulnerability in McAfee Antivirus Products Allows DLL Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.