You trust your antivirus software to protect your PC from malicious attacks but what if the Anti-Virus Quarantine feature is itself compromised. A recent finding shows that malware quarantine feature of several antivirus products was abused by local attackers to gain administrative privileges on PCs.
The loophole, dubbed as AVGater, was detected by Florian Bogner, a researcher with security firm Kapsch. AVGater exploits a user’s ability to restore suspicious files that antivirus programs have moved to quarantine folder.
Bogner demonstrated a method that tricks Antivirus programs to restore quarantined files to different directories than their original location. The quarantined files could then be moved to any hidden location on the host system paving the malware to be re-introduced into the PC.
Explaining the vulnerability, Bogner said,
AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order.
Sequence of AVGater abusing Anti-Virus Quarantine feature in 5 steps
The attack sequence of AVGater can be summarized in following five steps,
- A non-admin attacker moves a malicious library to the Anti-Virus Quarantine
- The attacker can then use the directory junction feature of NTFS to create a symbolic link that maps the original directory to C:\Windows or another system folder
- A regular user doesn’t have the permission to write to sensitive system folders, but antivirus products do because they run with system privileges. By restoring the previously quarantined file, the attacker now abuses the PC permissions of the AV Windows user mode service, and place malicious library in a folder where the currently signed in user is unable to write to under normal conditions
- The default functioning of DLL search order allows many applications to load their libraries by searching for them in different locations on the system in a certain order. Hence, if an attacker places a similarly named library in a location that’s checked earlier in the search path, the targeted application will load it before the legitimate one. Hence, the code within the DLLMain of the malicious library is executed
- The attacker gains the complete control over the affected endpoint
As per Bogner, Anti-virus vendors namely Trend Micro, Kaspersky Lab, Check Point, Emsisoft, Malwarebytes, and Ikarus have already released the fix, and soon other affected vendors may follow suit. Windows Defender, by the way, was not affected by this vulnerability/
A Silver lining though
Although AVGater is deadly, it has a weakness. It can only be executed by an attacker who has access to the PC. This effectively rules out mass spreads of this malware through hacked networks.
Moreover, AVGator can only be loaded if the user is allowed to restore previously quarantined file, hence blocking normal users from restoring identified threats easily prevent the infection.