A researcher has disclosed a flaw in many anti-virus endpoint protection packages that could allow an attacker to gain local admin rights.
The attack involves exploiting the way in which anti-virus software automatically quarantines files that appear malicious, and then use a privilege mismatch vulnerability to move that file to a more dangerous location, such as the root (C:) drive, where it can be executed. The key to the manipulation is to abuse NTFS directory junctions, the result of which allows the attacker to dictate where the previously quarantined files are written to - however this does require a ‘local attacker', which minimises the scope of the vulnerability.
“AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don't really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system”, said the researcher, Florian Bogner in a blog post explaining the exploit.
Javvad Malik, security advocate at AlienVault said: "This is not the first time we've seen evidence of attackers targeting security software directly in order to push malware or compromise clients. It is a reminder that IT security vendors need to pay as much attention to their own security as they do of their customers; if not more so. If compromising security software becomes a common occurrence, it could severely impact the confidence customers have in the entire market.”
The companies that have already fixed their packages are Trend Micro, Emisoft, Ikarus, Kaspersky, Check Point's ZoneAlarm and Malwarebytes.
Lee Munson, security researcher at Comparitech said: “Warning: Antivirus is useless. That's something I was hearing long before I took an interest in security, let alone joined the industry, and AVGater is not going to change my opinion that the death knell of AV is still being sounded way too soon. While this particular vulnerability is particularly nasty, and has the potential to wreak havoc on a target system, the fact that it has to be installed locally should render its effectiveness null and void.”
Bogner hinted that other manufacturers are vulnerable but have not yet patched the vulnerability, stating that “as some vendors still need a few more days to release their fix, it may take a little till everyone is protected”, but recommended that admins block local users from restoring identified threats as a workaround.