A new study from CyberArk has found that anti-malware products from all the major antivirus vendors it tested could be exploited to increase privileges. The company has tested anti-malware products from Kaspersky, McAfee, Symantec, Fortinet, Checkpoint, Trend Micro, Avira, Microsoft, Avast, and F-Secure to discover that they can all be abused to increase privileges on users' systems. users. This is quite ironic because anti-malware solutions are supposed to protect users, but they can inadvertently help malware gain more privileges on a system. According to CyberArk's new blog post, many vendors fall victim to the same types of bugs, and anti-malware products appear to be more vulnerable to exploitation due to their elevated privileges. The sheer number of bugs found in anti-malware products can be staggering, but many of these bugs can be easily fixed if the security companies that make them implement various changes.
Anti-malware errors
The root cause of many errors found in anti-malware products is that many Windows applications use the operating system's ProgramData directory to store data that is not related to a specific user. Programs that store data related to a specific user often use the %LocalAppData% directory that can only be accessed by the currently logged on user. CyberArk attempted to answer two questions: what if a non-privileged process creates directories/files that would later be used by a privileged process, and what if it creates a directory/tree? of directories before a privileged process? To answer the first question, the company looked at Avira's AV, which has two processes writing to the same log file. CyberArk was able to easily redirect the output of the write operation to any desired file using a symlink attack. Although the company used Avira's VA as an example, it emphasized that this method of privilege elevation is not limited to just this product or vendor. To answer the second question, CyberArk research found that 99% of the time, a privileged process will not change the DACL (Discretionary Access Control List) of an existing directory. DLL hijacking is another way anti-malware products can be abused to increase privileges. This technique involves a standard user abusing the DLL load of a privileged process and injecting code into it. To prevent elevation of privilege in anti-malware products, CyberArk recommends that developers modify DACLs before using them, fix spoofing, update their software installation framework, and use LoadLibraryEX.