Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Vulnerabilities Allow Researcher to Turn Security Products Into Wipers

SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.

SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.

The identified issues, which were presented on Wednesday at the Black Hat Europe cybersecurity conference, allowed the researcher to trick the vulnerable security products into deleting arbitrary files and directories on the system and render the machine unusable.

Dubbed Aikido, the researcher’s wiper abuses the extended privileges that EDR and AV products have on the system, relying on decoy directories containing specially crafted paths to trigger the deletion of legitimate files.

“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable,” the researcher explains.

The Aikido wiper exploits a window of opportunity between the detection of a malicious file and its actual deletion and abuses a feature in Windows that allows users to create junction point links – which are like symbolic links (symlinks) – regardless of their account’s privileges.

Yair explains that an unprivileged user cannot delete system (.sys) files, because they do not have the required permissions, but he successfully tricked the security product into performing the deletion by creating a decoy directory and placing in it a crafted path like the one intended for deletion (such as C:tempWindowsSystem32drivers vs C:WindowsSystem32drivers).

The researcher created a malicious file, placed it in the decoy directory, but did not specify a handle for it. Without knowing which programs have permissions to modify the file, the EDR/AV prompted for a system reboot to remediate the threat. The researcher then deleted the decoy directory.

Some security tools, the researcher explains, rely on a Windows API to postpone the deletion until after the reboot, while others keep a list of paths selected for deletion and wait for the reboot to delete them.

Advertisement. Scroll to continue reading.

While the default Windows API for postponing a deletion uses a flag that requires administrator privileges, once the system reboots, “Windows starts deleting all the paths and blindly follows junctions,” the researcher discovered.

“Some other self-implementations of EDRs and AVs do that too. As a result, I was able to create one complete process that allowed me to delete almost any file that I wanted on the system as an unprivileged user,” the researcher notes.

Yair points out that the exploit also bypasses Controlled Folder Access in Windows – a feature meant to prevent tampering with files inside folders that are on a Protected Folders list – because the EDR/AV has permissions to delete these files.

Out of 11 security products that were tested, six were found vulnerable to this exploit. The security flaws were reported to the affected vendors and three CVE identifiers were issued: CVE-2022-37971 for Microsoft Defender and Defender for Endpoint, CVE-2022-45797 for Trend Micro Apex One, and CVE-2022-4173 for Avast and AVG Antivirus for Windows.

Available on GitHub, the wiper contains exploits for the bugs impacting SentinelOne’s EDR and Microsoft Defender and Defender for Endpoint. For Microsoft’s products, however, only deletion of arbitrary directories is possible.

The PoC wiper creates an EICAR file (instead of a real malicious file) that is deleted by the security solution, can delete system files like drivers, and, at system reboot, “fills up the disk to no space with random bytes a few times” to ensure that data is overwritten and wiped.

“We believe it is critical for all EDR and AV vendors to proactively test their products against this type of vulnerability and, if necessary, develop a remediation plan to ensure they are protected. We would also strongly encourage individual organizations that currently utilize EDR and AV products to consult with their vendors about these vulnerabilities and immediately install any software updates or patches they provide,” Yair said.

Related: Reinventing Managed Security Services’ Detection and Response

Related: New ETW Attacks Can Allow Hackers to ‘Blind’ Security Products

Related: Vendors Respond to Method for Disabling Their Antivirus Products via Safe Mode

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.