Experts found Symlink race issues in 28 antivirus products

Pierluigi Paganini April 25, 2020

Security experts from RACK911 Labs discovered “symlink race” vulnerabilities in 28 of the most popular antivirus products.

Security researchers from RACK911 Labs disclose the discovery of “symlink race” issues in 28 of the most popular antivirus products.

The flaws affect 28 products running on major OSs, including Linux, Mac, and Windows.

“A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner. A malicious user can create a symbolic link to a file not otherwise accessible to them.” states Wikipedia. “When the privileged program creates a file of the same name as the symbolic link, it actually creates the linked-to file instead, possibly inserting content desired by the malicious user (see example below), or even provided by the malicious user (as input to the program).”

Symlink race vulnerabilities could be exploited to link malicious files to higher-privilege resources, allowing users to elevate privileges

The experts revealed that an attacker could exploit the vulnerabilities to delete files on the host, including the ones used by the antivirus or by the operating system, rendering the machine unusable.

Experts pointed out that most antivirus products work in a similar way, when an unknown file is saved to the hard drive, the software will usually perform a “real time scan, ” either instantly or within a couple of minutes. If the unknown file is a suspected threat, the file will be moved to a secure location used to quarantine the item.

Experts highlight that antivirus software run in a privileged state, an attacker that could exploit an issue in these solutions could potentially run code at the highest privileges. An attacker could perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) in the time between the initial file scan and the cleanup operation.

“What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after.” reads the report published by the experts. “A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.”

RACK911 reported its findings to antivirus vendors and most of them have already addressed the flaws in their products (i.e. AVG, F-Secure, McAfee).

The experts also published proof-of-concept scripts that could exploit a (symlink) race condition issue to link malicious files to legitimate files via directory junctions (on Windows) and symbolic links (on Mac & Linux).

“In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS. (When targeting Windows, we were only able to delete files that were NOT currently in use; However, some antivirus software would still remove the file upon a system reboot.)” concludes the report.

The experts explained that it could be quite easy for attackers to exploit these issues.

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – antivirus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment