They are basically symbolic links for directories that can be created by anyone with the help of mklink. If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.īut there is still one very important question still unanswered: How is it possible to tamper with the restore process? The solution are NTFS directory junctions. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order: This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. In the case of #AVGater, the answer to this question is: By manipulating the restore process from the virus quarantine:Īs shown in the above video, #AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. So what’s the real point here? Well, if a non-privileged user would be able to manipulate any of the communication channels that cross security boundaries (unprivileged user mode to privileged user mode or privileged user mode to kernel mode) he could escalate his privileges. Most likely it’s doing the real work of checking objects for known threat identifiers. For example it may be allowed to restore files from the virus quarantine ( This could be a hint – Couldn’t it?). However, by talking to the AV Windows service it can do many things a normal user would not be able too. By itself, it has no real power, because its executing within a limited user session. Within the context of the unprivileged user there is only the AV user interface. As shown in the following image, the different components have widely different duties: There are three different access domains: The kernel mode, the privileged user mode (SYSTEM) and the unprivileged user mode. The following diagram shows the inner workings of a typical AV from an unprivileged user’s point of view. To summaries: Today, I’m disclosing an issue, that can be exploited by any local user to gain full control over the endpoint by abusing the restore from quarantine Anti-Virus feature.Īnd because every new vulnerability needs its own name and logo, I want to introduce you to #AVGater:īut let’s get back on track, by discussing a few Anti-Virus basics. This was related to the preparations for this release: A post disclosing a new type of vulnerability, affecting multiple Anti-Virus solutions. As you may have noticed, it has been quite still here for a while.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |