SafeBreach Labs security researcher Or Yair discovered several vulnerabilities that allowed him to turn endpoint detection and response (EDR) and antivirus (AV) products into wipers.
The identified issues, which were presented on Wednesday at the Black Hat Europe cybersecurity conference, allowed the researcher to trick the vulnerable security products into deleting arbitrary files and directories on the system and render the machine unusable.
Dubbed Aikido, the researcher’s wiper abuses the extended privileges that EDR and AV products have on the system, relying on decoy directories containing specially crafted paths to trigger the deletion of legitimate files.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable. It does all that without implementing code that touches the target files, making it fully undetectable,” the researcher explains.
The Aikido wiper exploits a window of opportunity between the detection of a malicious file and its actual deletion and abuses a feature in Windows that allows users to create junction point links – which are like symbolic links (symlinks) – regardless of their account’s privileges.
Yair explains that an unprivileged user cannot delete system (.sys) files, because they do not have the required permissions, but he successfully tricked the security product into performing the deletion by creating a decoy directory and placing in it a crafted path like the one intended for deletion (such as C:tempWindowsSystem32drivers vs C:WindowsSystem32drivers).
The researcher created a malicious file, placed it in the decoy directory, but did not specify a handle for it. Without knowing which programs have permissions to modify the file, the EDR/AV prompted for a system reboot to remediate the threat. The researcher then deleted the decoy directory.
Some security tools, the researcher explains, rely on a Windows API to postpone the deletion until after the reboot, while others keep a list of paths selected for deletion and wait for the reboot to delete them.
While the default Windows API for postponing a deletion uses a flag that requires administrator privileges, once the system reboots, “Windows starts deleting all the paths and blindly follows junctions,” the researcher discovered.
“Some other self-implementations of EDRs and AVs do that too. As a result, I was able to create one complete process that allowed me to delete almost any file that I wanted on the system as an unprivileged user,” the researcher notes.
Yair points out that the exploit also bypasses Controlled Folder Access in Windows – a feature meant to prevent tampering with files inside folders that are on a Protected Folders list – because the EDR/AV has permissions to delete these files.
Out of 11 security products that were tested, six were found vulnerable to this exploit. The security flaws were reported to the affected vendors and three CVE identifiers were issued: CVE-2022-37971 for Microsoft Defender and Defender for Endpoint, CVE-2022-45797 for Trend Micro Apex One, and CVE-2022-4173 for Avast and AVG Antivirus for Windows.
Available on GitHub, the wiper contains exploits for the bugs impacting SentinelOne’s EDR and Microsoft Defender and Defender for Endpoint. For Microsoft’s products, however, only deletion of arbitrary directories is possible.
The PoC wiper creates an EICAR file (instead of a real malicious file) that is deleted by the security solution, can delete system files like drivers, and, at system reboot, “fills up the disk to no space with random bytes a few times” to ensure that data is overwritten and wiped.
“We believe it is critical for all EDR and AV vendors to proactively test their products against this type of vulnerability and, if necessary, develop a remediation plan to ensure they are protected. We would also strongly encourage individual organizations that currently utilize EDR and AV products to consult with their vendors about these vulnerabilities and immediately install any software updates or patches they provide,” Yair said.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: