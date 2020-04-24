Image: Maico Amorim

RACK911 Labs security researchers said in a report released this week that they found vulnerabilities in the “linked race” in 28 of today’s most popular antivirus products.

RACK911 says that attacks can be exploited by an attacker to remove files used by the antivirus or operating system, causing crashes or making the computer unusable.

The vulnerability in the heart of these insects is called “linked race”, Dr. Vesselin Bontchev, a member of the National Computer Virology Laboratory of the Bulgarian Academy of Sciences, told ZDNet today.

A symbolic link race vulnerability occurs when you link a malicious and legitimate file together and end up executing malicious actions on the legitimate file. Symlink vulnerabilities are often used to link malicious files to higher privilege items, resulting in privilege elevation (EoP) attacks.

“It’s a very real, old problem with operating systems that allow concurrent processes,” Dr. Bontchev told ZDNet. “In the past, many programs have been found to suffer from it.”

Years of work in AV product research

In a report released this week, the RACK911 team said it has been investigating the presence of these insects in antivirus products since 2018.

They found 28 products on Linux, Mac, and Windows to be vulnerable, and vendors notified them over time.

“Most antivirus vendors have fixed their products with some unfortunate exceptions,” the RACK911 team said this week. Some vendors acknowledged the problems in public consultations (1, 2, 3, 4), while others seem to have thrown patches in silence. The RACK911 team did not name the products that did not stick.

Image: RACK911 Labs

RACK911 says that antivirus products, in particular, are vulnerable to these types of attacks because of their operation. There is an interval from when the files are scanned and considered malicious and until the antivirus goes through to remove the threat. The attack is based on replacing the malicious file with a link to a legitimate file within this time window.

RACK911 researchers have created proof-of-concept scripts that abuse a race condition (link link) to link malicious files to legitimate files using directory joins (on Windows) and symbolic links (on Mac and Linux).

When the antivirus detects the malicious file and moves to delete it, it ends up deleting its own files or deleting the basic files owned by the operating system.

(embed) https://www.youtube.com/watch?v=MblUiyazdAc (/ embed)

“In our tests on Windows, macOS, and Linux, we were able to easily delete important files related to antivirus software that made it ineffective, and even delete key files from the operating system that would cause significant corruption requiring a reinstall. complete operation of the operating system, “said RACK911 researchers.

The RACK911 concept test code released this week only deletes files. Dr. Bontchev says these attacks would be more dangerous if the attacks rewrote files, which could be feasible, and would lead to a complete takeover of the attacked system.

Real-world attacks that use RACK911 errors would require an attacker to be able to download first and then run the link attack code on a device. This is not something that can help attackers breach a system, but something that can help them improve their access to a hacked system.

This means that such errors can only be used as a second stage payload in a malware infection, to elevate privileges, disable security products, or sabotage computers in a destructive attack.

“Make no mistake about it, the exploitation of these flaws was quite trivial and experienced malware authors will have no problem arming the tactics described in this blog post,” the RACK911 team said.

So far, most of the bugs that RACK911 found in antivirus products have been fixed. However, variations could be easily discovered. Symlink race condition errors have been some of the oldest and most difficult to mitigate errors in applications in recent decades across all operating systems (1, 2).