Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Vulnerabilities Allow Researcher to Turn Security Products Into Wipers

SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.

SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.

The identified issues, which were presented on Wednesday at the Black Hat Europe cybersecurity conference, allowed the researcher to trick the vulnerable security products into deleting arbitrary files and directories on the system and render the machine unusable.

Dubbed Aikido, the researcher’s wiper abuses the extended privileges that EDR and AV products have on the system, relying on decoy directories containing specially crafted paths to trigger the deletion of legitimate files.

“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable,” the researcher explains.

The Aikido wiper exploits a window of opportunity between the detection of a malicious file and its actual deletion and abuses a feature in Windows that allows users to create junction point links – which are like symbolic links (symlinks) – regardless of their account’s privileges.

Yair explains that an unprivileged user cannot delete system (.sys) files, because they do not have the required permissions, but he successfully tricked the security product into performing the deletion by creating a decoy directory and placing in it a crafted path like the one intended for deletion (such as C:tempWindowsSystem32drivers vs C:WindowsSystem32drivers).

The researcher created a malicious file, placed it in the decoy directory, but did not specify a handle for it. Without knowing which programs have permissions to modify the file, the EDR/AV prompted for a system reboot to remediate the threat. The researcher then deleted the decoy directory.

Some security tools, the researcher explains, rely on a Windows API to postpone the deletion until after the reboot, while others keep a list of paths selected for deletion and wait for the reboot to delete them.

While the default Windows API for postponing a deletion uses a flag that requires administrator privileges, once the system reboots, “Windows starts deleting all the paths and blindly follows junctions,” the researcher discovered.

“Some other self-implementations of EDRs and AVs do that too. As a result, I was able to create one complete process that allowed me to delete almost any file that I wanted on the system as an unprivileged user,” the researcher notes.

Yair points out that the exploit also bypasses Controlled Folder Access in Windows – a feature meant to prevent tampering with files inside folders that are on a Protected Folders list – because the EDR/AV has permissions to delete these files.

Out of 11 security products that were tested, six were found vulnerable to this exploit. The security flaws were reported to the affected vendors and three CVE identifiers were issued: CVE-2022-37971 for Microsoft Defender and Defender for Endpoint, CVE-2022-45797 for Trend Micro Apex One, and CVE-2022-4173 for Avast and AVG Antivirus for Windows.

Available on GitHub, the wiper contains exploits for the bugs impacting SentinelOne’s EDR and Microsoft Defender and Defender for Endpoint. For Microsoft’s products, however, only deletion of arbitrary directories is possible.

The PoC wiper creates an EICAR file (instead of a real malicious file) that is deleted by the security solution, can delete system files like drivers, and, at system reboot, “fills up the disk to no space with random bytes a few times” to ensure that data is overwritten and wiped.

“We believe it is critical for all EDR and AV vendors to proactively test their products against this type of vulnerability and, if necessary, develop a remediation plan to ensure they are protected. We would also strongly encourage individual organizations that currently utilize EDR and AV products to consult with their vendors about these vulnerabilities and immediately install any software updates or patches they provide,” Yair said.

Related: Reinventing Managed Security Services’ Detection and Response

Related: New ETW Attacks Can Allow Hackers to ‘Blind’ Security Products

Related: Vendors Respond to Method for Disabling Their Antivirus Products via Safe Mode

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.