[German]A design flaw in various antivirus products allows malware or local attackers to exploit the “Restore Quarantine” feature. Malware already quarantined can be moved to sensitive areas of the operating system in order to survive restarts and increases privileges.
Florian Bogner, a security auditor of the Austrian cyber-security company Kapsch, discovered the error he was tracking under the code name AVGater. Bogner has informed the affected antivirus vendors, some have updated their security solutions yet. Bogner published the findings in this blog post.
The following illustration shows the inner workings of a typical antivirus product from the perspective of an unprivileged user. There are three different access domains: kernel mode, privileged user mode (SYSTEM) and unprivileged user mode. As the following figure shows, the various components have very different tasks:
In the context of the unprivileged user, there is only the AV user interface. It alone has no real power because it is executed within a limited user session. However, by communicating with the Windows service of the AV program, the user interface can do many things that a normal user is denied in terms of permissions. For example, it may be allowed to recover files from the virus quarantine.
AVGator is using this
The question is, is an attack scenario thinkable, which exploits the quarantined files to infiltrate the system with malware – even though the user has no privileges? Bogner has published the following video.
As shown in the video above, #AVGater can be used to restore a previously quarantined file to any location on the file system. This is possible because the restore process is usually performed by the privileged AV Windows user mode service.
This a privileged file write vulnerability can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order, as Bogner wrote. If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.
The unanswered question: How can we use the quarantine file restore without system privileges? The solution are NTFS directory junctions, that can be created by anyone with the help of mklink. Misusing NTFS directory junctions allows to store quarantined files to any location within a system. This allows to construct the following scenario.
- First a malicious library is moved to the AV quarantine. Then the original source path is forwarded to another destination through the misuse of NTFS directory functions (probably a folder in C:\Program Files or C:\Windows).
- By restoring the previously isolated file, the SYSTEM privileges of the Windows user mode service are abused and the malicious library is placed in a folder where the currently logged on user cannot write to under normal conditions.
- Since the DLL search sequence works, it is eventually loaded by another privileged Windows process. The code is executed within the DLLMain of the malware library.
A local non-administrator thus gained full control over the affected endpoint. Bogner has summarized the whole in the following picture.
AV vendors Trend Micro, Kaspersky, Malwarebytes, EMSISoft, ZoneAlarm and IKARUS has fixed this vulnerability with updates. Further details may be read here.