mailing list archives
Getting Local Admin by Abusing the Anti-Virus Quarantine #AVGater
From: Florian Bogner <florian () bogner sh>
Date: Fri, 10 Nov 2017 10:02:15 +0100
This mail is not about a single vulnerability, but a more or less general technique I discovered to abuse the restore
from quarantine feature in anti-virus solutions to gain local admin rights. As I also presented this attack at the IT
SECX conference, I had to invent a name for it too. Hence, it is now called #AVGater (naturally it also has a logo).
For a more detailed description visit: https://bogner.sh/AVGater
Anti-Virus solutions are split into several different components (an unprivileged user mode part, a privileged user
mode part and a kernel component). Logically the different systems talk to each other.
By abusing NTFS directory junctions it is possible from the unprivileged user mode part ("the UI") to restore files
from the virus quarantine with the permissions of the privileged user mode part ("Windows service"). This may results
in a privileged file write vulnerability.
The following image illustrates the attack vector:
Steps to exploit:
1.) Add a malicious DLL into the AV quarantine (for example by manually adding it or by exploiting a race condition)
2.) By abusing NTFS directory junctions redirect the original source folder of the DLL to for example C:\Program
3.) Restore the DLL
=> As the DLL in restored with permissions of the privileged Windows service - instead of the user permissions
- the file is dropped into an otherwise non-writable folder.
4.) On the next reboot the DLL is loaded by the AV instead of the actual Windows DLL and malicious code can be executed
Who is/was affected?
During the preparation for this public disclosure, several different product have been checked for #AVGater. The
following vendors have already released their fix. However, there are a few more to come!
Getting our hands dirty
If you want to know more about how to exploit #AVGator in a real life scenario, I have a good news for you: I already
fully documented two exploit vectors:
How to protect myself?
Generally, it's pretty simple: Always install updates in a timely manner. However, as some vendors still need a few
more days to release their fix, it may take a little till everyone is protected.
Furthermore, as #AVGator can only be exploited if the user is allowed to restore previously quarantined file, I
recommend everyone within a corporate environment to block normal users from restoring identified threats. This is wise
in any way.
eMail: florian () bogner sh
Description: Message signed with OpenPGP using GPGMail
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/
- Getting Local Admin by Abusing the Anti-Virus Quarantine #AVGater Florian Bogner (Nov 14)