Researchers at RACK911 Labs that almost all antivirus packages for Windows, Linux and macOS were vulnerable to attacks that manipulated race conditions during the removal of files in which malware was detected.
To carry out an attack, you need to download a file that the antivirus recognizes as malicious (for example, you can use a test signature), and after a certain time, after the antivirus detects a malicious file, but immediately before calling the function to delete it, replace the directory with the file with a symbolic link. On Windows, a directory junction is used to achieve the same effect. The problem is that almost all antiviruses did not properly check symbolic links and, believing that they were deleting a malicious file, they deleted the file in the directory pointed to by the symbolic link.
On Linux and macOS, it is shown how an unprivileged user can delete /etc/passwd or any other system file in this way, and on Windows the DDL library of the antivirus itself to block its operation (on Windows, the attack is limited only to deleting files that are not currently used by others). applications). For example, an attacker can create an βexploitβ directory and upload the EpSecApiLib.dll file with a test virus signature to it, after which, before deleting, replace the βexploitβ directory with the link βC:\Program Files (x86)\McAfee\Endpoint Security\Endpoint Security Platform", which will remove the EpSecApiLib.dll library from the antivirus directory. On Linux and macos, a similar trick can be done by replacing the directory with the "/etc" link.
#! / Bin / sh
rm -rf /home/user/exploit ; mkdir /home/user/exploit/
wget -q https://www.eicar.org/download/eicar.com.txt -O /home/user/exploit/passwd
while inotifywait -m β/home/user/exploit/passwdβ | grep -m 5 βOPENβ
do
rm -rf /home/user/exploit ; ln -s /etc /home/user/exploit
done
Moreover, many antiviruses for Linux and macOS have been found to use predictable filenames when working with temporary files in the /tmp and /private/tmp directory, which could be used to elevate privileges to the root user.
To date, the problems have already been fixed by most suppliers, but it is noteworthy that the first notifications about the problem were sent to manufacturers in the fall of 2018. While not all vendors have released updates, they have been given at least 6 months to patch, and RACK911 Labs believes it now has the right to disclose the vulnerabilities. It is noted that RACK911 Labs has been working on identifying vulnerabilities for a long time, but they did not expect that it would be so difficult to work with colleagues from the antivirus industry due to the delay in the release of updates and ignoring the need for urgent security fixes.
Affected products (free ClamAV antivirus package not listed):
- Linux
- BitDefender GravityZone
- Comodo Endpoint Security
- ESET File Server Security
- F-Secure Linux Security
- Kaspersky Endpoint Security
- McAfee Endpoint Security
- Sophos Anti-Virus for Linux
- Windows
- Avast Free Anti-Virus
- Avira Free Anti-Virus
- BitDefender GravityZone
- Comodo Endpoint Security
- F-Secure Computer Protection
- FireEye Endpoint Security
- InterceptX (Sophos)
- Kaspersky Endpoint Security
- Malwarebytes for Windows
- McAfee Endpoint Security
- Panda Dome
- Webroot Secure Anywhere
- MacOS
- AVG
- BitDefender Total Security
- Eset Cyber ββSecurity
- Kaspersky Internet Security
- McAfee Total Protection
- Microsoft Defender (BETA)
- Norton Security
- Sophos Home
- Webroot Secure Anywhere
Source: opennet.ru