Exploit for popular commercial anti-viruses: possible execution of code with "SYSTEM" privileges

We know a lot about security software and probably as the only one in Poland we verify protection effectiveness, trying to indicate the most effective solutions in detecting malicious code. But we would not be objective if we did not present the other side of the coin. The presumption that antiviruses hurt more than protect them is sometimes very accurate and sometimes far-fetched. How is it this time? ;

COM objects and the Windows system registry

Protective programs for performed operations on files and system processes often require the highest privileges. This is logical, but anti-viruses are also "software", which may contain more or less serious gaps or incorrectly implemented security before injecting foreign code.

The privileged operations that are performed in the system have their implementation in the system kernel drivers (ring-0) and in services operating in the user mode (ring-3) and can communicate with each other. For this reason (in some cases) the anti-virus process responsible for the graphical interface allows you to run operations that require the highest privileges to:

  • configuring security software;
  • issuing a scan command, deleting files, restoring from quarantine;
  • exporting and importing configuration;
  • blocking processes; passing and blocking Internet traffic;
  • encrypted communication scanning;
  • disable protection permanently or temporarily;
  • and more;

Some vendors perform operations between the anti-virus and the system via COM objects, which in turn can be used to execute binary code, for example deactivating real-time protection, despite the auto-protection feature being enabled. The "hijacking" attack technique can be used by malicious software to run applications without using panes and without requiring administrator privileges (bypassing UAC). By using COM objects, it is possible to hide files and registry keys from other processes in user mode - about injecting code into already started processes, not to mention.  

In general, the purpose of COM technology is to provide an interface that allows programmers to control and manipulate objects of other applications, including running certain functions in the operating system using the unique CLSIDs . For example, identifier {21EC2020-3AEA-1069-A2DD-08002B30309D} will open a window with a control panel. In turn, another identifier can run a script, a binary file, disable Windows Update, add a rule to the firewall, driver, service, etc. Each such identifier is saved in the system registry .

The task of the researchers was to prove that the discovered technique of bypassing self-protection using COM object capture and running malicious code is possible under production conditions.

This technique of attack showed James Forshaw in his discovery, where COM objects can be used also to increase the rights in the Oracle VirtualBox hypervisor. In short, the technique "COM hijacking" allows you to run your own binary files, completely unrelated to the source program. James proved that in the case of vulnerability CVE-2017-3563 for VirtualBox, one can omit the PE signature of the loaded DLL file by loading the scrobj.dll library signed by Microsoft, which will allow to run JScript or .NET code. The attacker will be able to manipulate the memory of the intercepted process and use the system API. And this is very dangerous.

Tests were carried out on products:

  • Kaspersky Lab
    • Kaspersky Free (18.0.0.405)
    • Kaspersky Antivirus (17.0.0.611)
    • Kaspersky Endpoint Security (10.3.0.6294)
  • Symantec
    • Symantec Norton Security Deluxe (22.10.1.10)
    • Symantec Endpoint Protection (14.0.3752.1000.105)
  • Bitdefender
    • Bitdefender Antivirus Plus 2018 (22.0.8.992)
    • Bitdefender Gravityzone (Endpoint Security Tools 6.2.25.953)
  • Comodo
    • Comodo Internet Security Premium (10.0.1.6258)
  • Trend Micro
    • Trend Micro Maximum Security (22.10.1.10)

Tests have shown that the same vulnerability CVE-2017-3563 can be used to run JScript or .NET code through the process of antivirus software with the auto-protection function enabled. In some cases it is even possible to run such a code and raise the right to the highest, ie "NT AUTHORITY \ SYSTEM".

The "antivirus engine" of Kaspersky Lab, which was the only one to detect an injected script, has the most "reasons to please. However, there is nothing to be happy about, because bypassing the protection was so simple that it was enough to load a malicious file using COM objects from the registry containing the key to the URL, not the path to the file.

The conducted experiment shows that it is possible to interfere in antivirus processes, deactivate protection in spite of configuration protection with a password, hide malicious software, or manipulate files on a disk with system privileges. It is even suspected that SSL / TLS communication can be decrypted.

Restoring files from quarantine

As everyone knows, quarantine is an area isolated from user's folders, often also encrypted. Requires the highest write or read privileges (although not always). Quarantine is also a certain security against false alarms - files treated as malicious can be restored. It is also known that the data in the quarantine must be somehow secured against unauthorized access - for example before other processes or before the theft of the encryption key files - therefore, the running anti-virus process responsible for restoring data from quarantine (unfortunately) is not always done with local privileges user, and sometimes with "SYSTEM" privileges. This is a mistaken assumption of the developers, because as the test proves in the test, the local user process referring to the process with the rights "SYSTEM" passes information with a request that should return the response and restore the file with the local user process privileges. This may sound a bit complicated, but for the products being tested, the permissions check function has not been programmed with due diligence, so the restored file from quarantine is created in the target location with the "NT AUTHORITY \ SYSTEM" privileges instead of the local user privileges. Consequently:

The author of the malware can write such a malware that will display a window with information about launching a program with elevated privileges (UAC), impersonating the antivirus process.

Ok, but how to use it in practice? Traditionally. The attacker must somehow transport the malicious code to the system: exploit the vulnerability in the system, apply the drive-by download attack, send the virus through the SMB protocol vulnerability or rely on social engineering - while remembering that the virus is completely undetectable for the anti-virus. Difficult? Not necessarily.

Transferring permissions between processes concerns not only quarantine, but also deleting files through a special module, often called "file shredding" (file shredding), importing settings, or even exporting logs to a file. All these operations are performed "manually" by the user or automatically as a result of scheduled operations in the administrator console. Features that are not related to direct access to files (such as network settings, SSL / TLS scanning) are areas that have not been tested, but the report indicates that they may give other vectors for effective attacks and a field for malware authors.

Other technical details are available in the PDF report .

What is the scale of the problem?

Products that have undergone a penetration test belong to the most reputable companies that achieve the best results in independent protection tests. That is why it was decided to check these solutions to draw the attention of the public and the producers themselves, who happen to be slip-ups from time to time . However, this is not an apocalyptic situation, to now jump to the control panel and remove software, which nevertheless stands up for security, catching at least those known and more advanced threats.

Using antivirus processes to run malicious code certainly applies to other solutions of other companies, but not all. We can therefore assume that software that uses Bitdefender, Kaspersky Lab, Trend Micro and Symantec technologies (we do not know about "desktop" products that use Comodo technology) may be more or less susceptible to the described errors in security. It is difficult to verify unequivocally how smaller companies use ready-made technologies in their products (often copied almost 1: 1), it is conditioned by various variables. The corrective correction should be taken from several to several dozen types of SDK kits, which are offered, for example, by Bitdefender. Without tests, it is impossible to predict which antivirus from the list above is vulnerable and which is not.

What to do in this situation?

It's best to limit yourself to running applications only from specific locations or programs added to white lists. The digital signatures of binary files are not without significance. Those unauthorized by the certification authority should be considered dangerous and treated in airtight environments. In the case of Bitdefender GravityZone and Kaspersky Endpoint Security software, tampering with anti-virus processes using quarantine was not possible on the default security policy. This did not apply to all tested products (which does not mean that producers should be praised). It is worth introducing such a restriction for employees. For security reasons, only the administrator or the authorized person should have access to the anti-virus settings.

The study raises one more problem. Well, producers can deliberately favor a business client. A lot of money speaks for the sector of small and medium enterprises as well as large companies and corporations. We would not be surprised if the manufacturers for the company machines provided a better level of protection against malware and better-tuned code.

Users remain with each unknown file as a potential threat. Using the described attack will not be easy in practice, so it is not worth depriving yourself of this basic protection. Let's hope that this research will reach decision-makers and the problem of running malicious code through the processes of the security program will be quickly repaired.

By the way, it may be interesting to be interested in something other than traditional "anti-virus" ?



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.