TokyoWesterns’ team of web application security experts just unveiled a new attack method that, if exploited, would allow the extraction of sensitive information from any server protected with Windows Defender.
This attack method, dubbed “Oracle
AV”, was disclosed during a recent cybersecurity event and, according to
its developers, is a specialized server-side request forgery technique that
leverages security mechanisms included in Windows Defender by default. Windows
Defender is the antivirus
security tool pre-installed on Microsoft systems.
These kinds of attacks (commonly known as SSRF
attacks) rely on sending specially designed request packages to trick servers
into responding with sensitive information, otherwise inaccessible for threat
actors, as assured by web application security specialists.
Hackers usually use SSRF attacks to access
certain resources, such as sensitive files and other resources that can only be
accessed through a local network of the target server. The method developed by
the researchers shows an attack against a web application running on a Windows
Defender-protected server.
The target application contained some publicly
available URLs (any user could access them), plus a URL accessible only to
administrators using the local address “localhost” (on the same
server); according to the experts, this URL contained the target’s confidential
information.
Subsequently, web application security experts
created a specially crafted JavaScript snippet to embed it in the query string
of one of the publicly available URLs. This causes some protection features in
Windows Defender to scan the snippet for malicious commands. This analysis
affects responses from the server to the client, so a hacker could have Windows
Defender filter sensitive information stored in the target web application by
manipulating its script carefully.
In addition, this vulnerability could also be
classified as an exploit of the XS-Search category. In other words, this flaw
causes antivirus software to lose a secret value by storing a file that contains
attacker-controlled value and sensitive information.
According to web application security
specialists from the International Cyber Security Institute (IICS) Windows
Defender would start unintentionally filtering multiple details about the
attacked system of attackers. When asked about this flaw, one of the team
members who conducted this research ensured that this attack method could be
functional in other endpoint protection solutions, highlighting this scenario
would require that the attacked antivirus have a component to analyze
JavaScript code, just like Windows Defender.
Moreover, when questioned about the harmful
potential of Oracle AV attack in other scenarios or against other targets, the
specialist mentioned that the investigation is not yet completed, so new ways
to exploit these flaws could appear shortly, although it does mention a
potential scenario: “This attack may also work against a browser’s cache,
so Oracle AV would affect servers and users,” warns the expert.
