According to a report published by CyberArk researcher Eran Shimony today and shared with The Hacker News, the high privileges often associated with anti-malware products render them more vulnerable to exploitation via file manipulation attacks, resulting in a scenario where malware gains elevated permissions on the system.
The bugs impact a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, each of which has been fixed by the respective vendor.
Chief among the flaws is the ability to delete files from arbitrary locations, allowing the attacker to delete any file in the system, as well as a file corruption vulnerability that permits a bad actor to eliminate the content of any file in the system.
Per CyberArk, the bugs result from default DACLs (short for Discretionary Access Control Lists) for the “C:ProgramData” folder of Windows, which are by applications to store data for standard users without requiring additional permissions.
Given that every user has both write and delete permission on the base level of the directory, it raises the likelihood of a privilege escalation when a non-privileged process creates a new folder in “ProgramData” that could be later accessed by a privileged process.
|Kaspersky Security Center||CVE-2020-25043, CVE-2020-25044, CVE-2020-25045|
|McAfee Endpoint Security and McAfee Total Protection||CVE-2020-7250, CVE-2020-7310|
|Symantec Norton Power Eraser||CVE-2019-1954|
|Check Point ZoneAlarm and Check Point Endpoint Security||CVE-2019-8452|
|Trend Micro HouseCall for Home Networks||CVE-2019-19688, CVE-2019-19689, and three more unassigned flaws|
In one case, it was observed that two different processes — one privileged and the other run as an authenticated local user — shared the same log file, potentially allowing an attacker to exploit the privileged process to delete the file and create a symbolic link that would point to any desired arbitrary file with malicious content.
Subsequently, CyberArk researchers also explored the possibility of creating a new folder in “C:ProgramData” before a privileged process is executed.
In doing so, they found that when McAfee antivirus installer is run after creating the “McAfee” folder, the standard user has full control over the directory, allowing the local user to gain elevated permissions by performing a symlink attack.
To top it all, a DLL hijacking flaw in Trend Micro, Fortinet, and other antivirus solutions could have been exploited by an attacker to place a malicious DLL file into the application directory and elevate privileges.
Urging that access control lists must be restrictive to prevent arbitrary delete vulnerabilities, CyberArk stressed the need to update the installation frameworks to mitigate DLL Hijacking attacks.
While these issues may have been addressed, the report serves as a reminder that weaknesses in software, including those that aim to offer antivirus protection, can be a conduit for malware.
“The implications of these bugs are often full privilege escalation of the local system,” CyberArk researchers said. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization.”