How an antivirus works

Antivirus programs are designed to keep your computer safe from malware and other malicious content. In order to minimize the damage that a potentially malicious file can pose to a computer, antivirus programs are designed to scan files as soon as they are installed on a computer. If they are determined to be malicious, the antivirus places them in quarantine to ensure that they cannot be executed until a user either adds an exception or authorizes deletion of the file from the computer.

In order to do its job, an antivirus requires elevated privileges on a machine. Malware can be installed anywhere on the filesystem under multiple different user accounts. Elevated privileges ensure that an antivirus has the ability to detect and deal with potential malware regardless of where it is installed.

Race condition exploitation enables antivirus shutdown

RACK911 Labs took advantage of the advanced privileges accorded to an antivirus to use them to attack themselves and the systems that they are supposed to protect. They accomplished this by taking advantage of race conditions and built-in features of the target operating system.

The potential for a race condition exists any time that multiple different execution flows are occurring in parallel. Normally, parallelization can be an asset; however, problems can occur if two different execution threads are modifying the same state. Depending on the order in which operations are performed in two or more threads, the end result of the computation can be very different.

RACK911 Labs took advantage of a “time of check vs. time of use” (TOCTOU) vulnerability in most antivirus programs. In the course of protecting a machine against malicious files, an antivirus performs two operations. The first is a check in which they determine if a particular file is malicious. The second is the action (or “use”) of placing the file in quarantine, effectively deleting it from its original location and making it unrunnable.

In theory, these two operations should happen nearly simultaneously. In reality, there is a small but significant gap between them. RACK911 Labs demonstrated that this timing gap could be exploited to render an antivirus ineffective or even harmful to a system.

Exploiting symbolic links

RACK911 turned the antivirus against the system that it protects by using built-in features of the Windows, Linux and MacOS operating systems. In Windows, a directory junction is a logical link between two directories on the system. Any user on the system can create a directory junction, and anything that happens to one of the linked directories happens to the other.

On Linux and MacOS, RACK911 Labs used symbolic links (symlinks). These are functionally identical to Windows’ directory junctions but can link files as well as directories. In Windows, symlinks exist as well but only privileged users can create them.

With directory junctions and symlinks, Rack911 Labs was able to exploit the race condition that exists in many antivirus solutions. After a piece of malware was scanned and placed on the quarantine list, the file or directory was replaced with a symlink or directory junction pointing to a file crucial to the antivirus (or any other critical system file). When the antivirus took action to quarantine the “malicious” file, it effectively deleted files crucial to its own operation or other important systems files.

Since antivirus runs with extremely high permissions, it could quarantine essentially any file on the system. The only limitation was that — on Windows — files that were currently in use could not be quarantined. However, many antiviruses would simply wait until a reboot occurs and quarantine them before they were executed.

Current impact of the vulnerabilities

RACK911 Labs discovered this vulnerability in 2018. For over a year and a half, they did not publicize it as they worked with antivirus vendors to fix their vulnerable systems. After granting every contacted vendor at least six months to patch the vulnerability, they decided to publish it to draw attention to the issue and incentivize vendors that were dragging their feet about updates to issue a patch immediately.

At this point, no major antivirus vendor should be vulnerable to this particular exploit. However, the potential for other symlink/directory junction vulnerabilities in antivirus products and other software still exists. TOCTOU race condition vulnerabilities are a major security threat and can be easily exploited, as demonstrated by RACK911 Labs.

 

Sources

  1. Exploiting (Almost) Every Antivirus Software, Rack911 Labs
  2. Hard Links and Junctions, Microsoft
  3. SymLink, wiki.debian.org