In a report published by CyberArk Labs, experts have pointed out that anti-malware solutions that are supposed to protect the user may unintentionally assist malware in increasing privileges on the system. Anti-malware products seem to be a lot more vulnerable to exploitation because of their high privileges, which could be abused to gain elevated permissions via file manipulation attacks. Multiple anti-malware products that are vulnerable to the bugs include those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender. However, respective vendors have fixed each of these vulnerabilities reported by the researchers. According to the researchers, one of the primary causes of several flaws is the default DACLs (Discretionary Access Control Lists) of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data that is not specific to a user. This means that processes\services that are not related to a specific user would probably use ProgramData instead of the %LocalAppData%, which is accessible by the current logged in user. “I assume this is the reason why ProgramData has permissive DACLs by design so that every user can access directories there freely,” reads the report. In other words, every user has both write and delete permission on the base level of the directory. This means if a non-privileged process created a directory in “ProgramData”, it could be later accessed by a privileged process. Given below is a complete list of issues discovered by the CyberArk researchers: To demonstrate what happens if a non-privileged process creates directories\files that would be later used by a privileged process, the researchers provide information about a shared Log File issue that affects Avira’s AV. An attacker could potentially exploit the privileged process to delete the file and create a symbolic link (also known as symlink or soft link) that would point to any desired arbitrary file on the target system with malicious content. CyberArk researchers also discovered the possibility of creating a new folder in “C:\ProgramData” before a privileged process related to an antivirus software is executed. While doing this, the researchers found that when McAfee antivirus installer is executed after creating the “McAfee” folder, the standard user has full control over the directory. This allows the local user to gain elevated permissions through a symbolic link attack. Besides this, the researchers also reported a DLL hijacking flaw in Trend Micro, Fortinet, and other antivirus solutions that could allow attackers to execute a malicious DLL file into the application directory and elevate privileges. To prevent arbitrary delete vulnerabilities, CyberArk emphasized on the need to update the installation frameworks to lessen DLL Hijacking attacks. “The implications of these bugs are often full privilege escalation of the local system. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization. The exploits that were presented here are easy to implement, but also easy to patch against,” concludes CyberArk.
