Exploit the possiblities

Anti-Virus Privileged File Write

Anti-Virus Privileged File Write
Posted Nov 15, 2017
Authored by Florian Bogner

Anti-Virus solutions are split into several different components (an unprivileged user mode part, a privileged user mode part and a kernel component). Logically the different systems talk to each other. By abusing NTFS directory junctions it is possible from the unprivileged user mode part ("the UI") to restore files from the virus quarantine with the permissions of the privileged user mode part ("Windows service"). This may results in a privileged file write vulnerability.

tags | exploit, kernel, virus
systems | windows
MD5 | 7862227fbd0c9e346e9689c3307fcd0a

Anti-Virus Privileged File Write

Change Mirror Download
Dear list,

This mail is not about a single vulnerability, but a more or less general technique I discovered to abuse the restore from quarantine feature in anti-virus solutions to gain local admin rights. As I also presented this attack at the IT SECX conference, I had to invent a name for it too. Hence, it is now called #AVGater (naturally it also has a logo).

For a more detailed description visit: https://bogner.sh/AVGater

Summary:
==============================================================
Anti-Virus solutions are split into several different components (an unprivileged user mode part, a privileged user mode part and a kernel component). Logically the different systems talk to each other.

By abusing NTFS directory junctions it is possible from the unprivileged user mode part ("the UI") to restore files from the virus quarantine with the permissions of the privileged user mode part ("Windows service"). This may results in a privileged file write vulnerability.

The following image illustrates the attack vector:
https://bogner.sh/wp-content/uploads/2017/10/Screen-Shot-2017-10-25-at-11.36.37.png

Steps to exploit:
==============================================================
1.) Add a malicious DLL into the AV quarantine (for example by manually adding it or by exploiting a race condition)
2.) By abusing NTFS directory junctions redirect the original source folder of the DLL to for example C:\Program Files\Your AV\
3.) Restore the DLL
=> As the DLL in restored with permissions of the privileged Windows service - instead of the user permissions - the file is dropped into an otherwise non-writable folder.
4.) On the next reboot the DLL is loaded by the AV instead of the actual Windows DLL and malicious code can be executed as SYSTEM.

Who is/was affected?
==============================================================
During the preparation for this public disclosure, several different product have been checked for #AVGater. The following vendors have already released their fix. However, there are a few more to come!

- TrendMicro
- Kaspersky
- ZoneAlarm
- Emsisoft
- Malwarebytes
- Ikarus

Getting our hands dirty
==============================================================
If you want to know more about how to exploit #AVGator in a real life scenario, I have a good news for you: I already fully documented two exploit vectors:

- Emsisoft: https://bogner.sh/2017/11/local-privilege-escalation-in-emsisoft-anti-malware-by-abusing-ntfs-directory-junctions-avgater/
- Malwarebytes: https://bogner.sh/2017/11/local-privilege-escalation-in-malwarebytes-3-by-abusing-ntfs-directory-junctions-avgater/

How to protect myself?
==============================================================
Generally, it's pretty simple: Always install updates in a timely manner. However, as some vendors still need a few more days to release their fix, it may take a little till everyone is protected.

Furthermore, as #AVGator can only be exploited if the user is allowed to restore previously quarantined file, I recommend everyone within a corporate environment to block normal users from restoring identified threats. This is wise in any way.

Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    13 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close