Security researchers from CyberArk Labs disclosed details of security vulnerabilities found in popular antivirus software that could be exploited by attackers to elevate their privileges on the target system.
Antivirus solutions that are supposed to protect the systems from infection may unintentionally allow malware in escalating privileges on the system.
Anti-malware products run with high privileges, this means that the exploitation of any issues in these solutions could allow malicious software to elevated permissions and perform multiple malicious actions.
Experts explained that multiple anti-malware products are vulnerable to exploitation via file manipulation attacks, including antivirus solutions from Kaspersky, McAfee, NortonLifeLock, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender. The good news is that all the above security vendors have addressed the vulnerabilities reported by the researchers.
The researchers explained that one of the root causes for many issues they have discovered is the default DACLs of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data, any user has read/write permissions on ProgramData instead of the %LocalAppData%, which is accessible by the current logged in user.
“We begin with the first cause of many bugs, which is the default DACLs of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data that is not specific to a user. This means that processes\services that are not tied to a specific user would probably use ProgramData instead of the %LocalAppData%, which is accessible by the current logged in user.” reads the analysis published by CyberArk. “I assume this is the reason why ProgramData has permissive DACLs by design so that every user can access directories there freely.”
Attackers could exploit some of the flaws to delete files from arbitrary locations.
A privilege escalation could be achieved when a non-privileged process creates a new folder in “ProgramData” that could be later accessed by a privileged process, like the one associated with an antivirus solution.
To better understand the conditions that could determine the exploitation of the flaws, the analysis provides details about a shared Log File issue that affects the antivirus solution designed by Avira.
An attacker could exploit the privileged process to delete the file and create a symlink that would point to any arbitrary file on the target system with malicious content.
CyberArk researchers also explained that it is possible to create a new folder in “C:\ProgramData” before a privileged process, associated with an antivirus software, is executed.
The experts pointed out that McAfee antivirus installer is executed after creating the “McAfee” folder, the standard user has full control over the directory, this means that the local user could gain elevated permissions through a symlink attack.
Experts also reported DLL hijacking flaws in Trend Micro, Fortinet, and other antivirus solutions that could allow attackers to execute a malicious DLL after having placed it into the application directory and elevate privileges.
DLL Hijacking attacks could be mitigated by updating the update of the installation frameworks.
“The implications of these bugs are often full privilege escalation of the local system,” concludes CyberArk. “Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization. The exploits that were presented here are easy to implement, but also easy to patch against.”
The complete list of issues discovered by the experts is reported below:
(SecurityAffairs – hacking, antivirus)