A new exploit called AVGator is created by an Austra-based security consultant named Florian Bogner. Many AV software provides functionality to quarantine files, but the users can restore the quarantined files whenever they want.
But let’s get back on track, by discussing a few Anti-Virus basics. The following diagram shows the inner workings of a typical AV from an unprivileged user’s point of view. There are three different access domains: The kernel mode, the privileged user mode (SYSTEM) and the unprivileged user mode. As shown in the following image, the different components have widely different duties:
Within the context of the unprivileged user, there is only the AV user interface. By itself, it has no real power, because it is executing within a limited user session. However, by talking to the AV Windows service it can do many things a normal user would not be able too. For example, it may be allowed to restore files from the virus quarantine (This could be a hint – Couldn’t it?). Additionally, there is kernel component. Most likely it’s doing the real work of checking objects for known threat identifiers.
So what’s the real point here? Well, if a non-privileged user would be able to manipulate any of the communication channels that cross security boundaries (unprivileged user mode to privileged user mode or privileged user mode to kernel mode) he could escalate his privileges. But how to do that?
In the case of #AVGater, the answer to this question is: By manipulating the restore process from the virus quarantine:
As shown in the above video, #AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs can be circumvented (as they don’t really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system. The goal is to side load this library for a legitimate Windows servers by abusing the DLL Search Order.
If this succeeds, arbitrary code can be executed with the help of the DLLMain entry point.
But there is still one very important question still unanswered: How is it possible to tamper with the restore process? The solution are NTFS directory junctions. They are basically symbolic links for directories that can be created by anyone with the help of mklink.
#AVGater in plain english: By abusing NTFS directory junctions, the AV quarantine restores process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations.
Putting it all together
With all this knowledge, we can now paint a complete attack scenario: First, a malicious library is moved to the AV quarantine. Then, by abusing directory junctions the original source path is redirected to another destination. Most likely a folder within C:\Program Files or C:\Windows. By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions. Because of how the DLL search order works, it is finally loaded by another privileged Windows process. Thereby the code within the DLLMain of the malicious library is executed. Hence, a local non-admin attacker gained full control over the affected endpoint.
Here’s a diagram illustrating the whole process:
Who is/was affected?
During the preparation for this public disclosure, several different products have been checked for #AVGater.
The following vendors have already released their fix. However, there are a few more to come!
How to protect myself ?
Generally, it’s pretty simple: Always install updates in a timely manner. However, as some vendors still need a few more days to release their fix, it may take a little till everyone is protected.
Furthermore, as #AVGator can only be exploited if the user is allowed to restore previously quarantined file, We recommend everyone within a corporate environment to block normal users from restoring identified threats.
Credit: bogner.sh | Fossbytes