1/13/2024 0 Comments Descargar mcafee total protectionRACK911 Labs began notifying vendors in the fall of 2018 and to this date we have reported security vulnerabilities across all major platforms affecting every well-known antivirus vendor. After the 5th OPEN the actual symlink attack takes place which then causes the system /etc/passwd to be removed causing a Denial of Service attack against the operating system. With the help of ‘inotifywait’ the malicious passwd file is monitored for OPEN file operations. What the above Proof of Concept does is monitor the EICAR test-string that was downloaded to a file called passwd. Rm -rf /home/user/exploit ln -s /etc /home/user/exploit While inotifywait -m “/home/user/exploit/passwd” | grep -m 5 “OPEN” Rm -rf /home/user/exploit mkdir /home/user/exploit/ For example, the following Proof of Concept worked against Eset File Server Security: In our case, we found the use of ‘inotifywait’ to be extremely helpful. One of the benefits of exploiting antivirus software for Linux is the wide range of available tools to help with the race condition timings. In our testing, we were able to delete important files that would have rendered either the antivirus software or the operating system inoperable given that most file operations run as the root user. It’s worth noting that the above Proof of Concept for macOS also works for some Linux antivirus software. In our testing, we were able to identify an approximate delay of 6-8 seconds that allows a race condition to occur that can result in a symlink attack causing any file to be removed due to the fact that the software runs as root. Once the test-string has been downloaded, the antivirus software immediately detects the file as malware and attempts to clean it up. This exploit was used against Kaspersky Internet Security for macOS and downloads the EICAR test-string from an alternate source (Pastebin) to bypass real-time protection that prohibits downloading the test-string from the official website. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc. What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. Therein lies a fundamental flaw as the file operations are (almost) always performed at the highest level which opens the door to a wide range of security vulnerabilities and various race conditions. Given the nature of how antivirus software has to operate, almost all of them run in a privileged state meaning the highest level of authority within the operating system. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted. Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a “real time scan” either instantly or within a couple of minutes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |