Dear list,
This mail is not about a single vulnerability, but a more or less general
technique I discovered to abuse the restore from quarantine feature in
anti-virus solutions to gain local admin rights. As I also presented this
attack at the IT SECX conference, I had to invent a name for it too. Hence, it
is now called #AVGater (naturally it also has a logo).
For a more detailed description visit: https://bogner.sh/AVGater
Summary:
==============================================================
Anti-Virus solutions are split into several different components (an
unprivileged user mode part, a privileged user mode part and a kernel
component). Logically the different systems talk to each other.
By abusing NTFS directory junctions it is possible from the unprivileged user
mode part ("the UI") to restore files from the virus quarantine with the
permissions of the privileged user mode part ("Windows service"). This may
results in a privileged file write vulnerability.
The following image illustrates the attack vector:
https://bogner.sh/wp-content/uploads/2017/10/Screen-Shot-2017-10-25-at-11.36.37.png
Steps to exploit:
==============================================================
1.) Add a malicious DLL into the AV quarantine (for example by manually adding
it or by exploiting a race condition)
2.) By abusing NTFS directory junctions redirect the original source folder of
the DLL to for example C:\Program Files\Your AV\
3.) Restore the DLL
=> As the DLL in restored with permissions of the privileged Windows
service - instead of the user permissions - the file is dropped into an
otherwise non-writable folder.
4.) On the next reboot the DLL is loaded by the AV instead of the actual
Windows DLL and malicious code can be executed as SYSTEM.
Who is/was affected?
==============================================================
During the preparation for this public disclosure, several different product
have been checked for #AVGater. The following vendors have already released
their fix. However, there are a few more to come!
- TrendMicro
- Kaspersky
- ZoneAlarm
- Emsisoft
- Malwarebytes
- Ikarus
Getting our hands dirty
==============================================================
If you want to know more about how to exploit #AVGator in a real life scenario,
I have a good news for you: I already fully documented two exploit vectors:
- Emsisoft:
https://bogner.sh/2017/11/local-privilege-escalation-in-emsisoft-anti-malware-by-abusing-ntfs-directory-junctions-avgater/
- Malwarebytes:
https://bogner.sh/2017/11/local-privilege-escalation-in-malwarebytes-3-by-abusing-ntfs-directory-junctions-avgater/
How to protect myself?
==============================================================
Generally, it's pretty simple: Always install updates in a timely manner.
However, as some vendors still need a few more days to release their fix, it
may take a little till everyone is protected.
Furthermore, as #AVGator can only be exploited if the user is allowed to
restore previously quarantined file, I recommend everyone within a corporate
environment to block normal users from restoring identified threats. This is
wise in any way.
Florian Bogner
eMail: florian@xxxxxxxxx
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/