Tomcat
Professional
- Messages
- 2,688
- Reaction score
- 1,037
- Points
- 113
Experts from RACK911 Labs demonstrated how using symbolic links (directory junction on Windows and symlink on macOS and Linux) you can turn almost any antivirus solution into a self-destruct tool.
Most antivirus solutions work according to the same scheme: when an unknown file is saved to the computer's hard drive, the antivirus scans it in real time. If the file is found suspicious, it is either sent to "quarantine" - a protected place where it waits for further user actions, or it is deleted. Due to the nature of its operations, antivirus software usually has the highest privileges on the system, which, according to RACK911 Labs, "opens the door to a wide range of security vulnerabilities and concurrency uncertainties" (the so-called "race condition" or race condition).
According to the researchers, most antivirus solutions do not take into account the small time gap between scanning a file and further actions with it. A local attacker or malware can cause concurrency ambiguity by using symbolic links and, using the privileged status of file actions, disable the antivirus software or render it completely useless.
Researchers were able to successfully delete critical antivirus software files on computers running Windows, macOS and Linux, rendering it useless, and even delete key system files and thereby cause serious damage that required a reinstallation of the OS.
According to the researchers, it is very easy to carry out the attack presented by them, and a seasoned hacker will cope with it without difficulty. The hardest part is figuring out the exact time when the directory junction or symlink needs to be executed. Timing plays a key role in this attack, since even one second late will render the exploit useless. However, in the case of some anti-virus solutions, timing did not matter, and to trigger their self-destruction, it was enough to loop the launch of the exploit.
RACK911 Labs began sending notifications to affected vendors in the fall of 2018, and most of them, with a few exceptions, have already patched the vulnerability.
