Authored by: Eran Shimony, Researcher, CyberArk

The irony of abusing anti-malware solutions to increase privilege access affirms the fact that cybercriminals can exploit virtually every route to gain access into a network. Cybersecurity experts realise that anti-malware products are a lot more vulnerable to exploitation. Anti-malware solutions may unintentionally assist the entry of malware in the system because of their high access privileges. Using file manipulation attacks, malwares and viruses exploit access privileges of popular security solutions to gain foothold into the system.

While this flaw in anti-malware products can be alarming, many of the bugs using anti-malware products as a route to infiltrate systems can be easily identified and eliminated.

With awareness of how vulnerabilities are abused and by looking at their causes, developers and security teams can be better equipped in finding and preventing malwares from gaining elevated permissions in the system.

Finding the weak links
Many bugs are caused by the default Discretionary Access Control List (DACL) of the C:\ProgramData directory. On Windows, the ProgramData directory is used by applications to store data that is not specific to a user. This is the reason why ProgramData has permissive DACLs by design so that every user can access directories in the location freely. At a base level, every user has both write and delete permission which allows every user to create new files or directories that would be owned by the current user who has full control over the resources. However, security issue may arise that could potentially lead to many bugs if a privileged process uses a directory in ProgramData created with non-privileged access. With a permissive DACL, the newly created directory can be accessed from two different security contexts. The shared file resource can then be exploited to delete files, write arbitrary content and add links that lead to malicious content.

Malicious users can also escalate their privileges through programs that install new software. Attackers will look for these opportunities because vendors update the inside packages, but they often forget to update the installer package.  Using Dynamic link library (DLL) hijacking, a standard user can abuse the DLL loading of a privileged process and successfully inject code into it.

With a code execution embedded inside the anti-virus installer, attackers gain elevated access privileges and can start deploying malicious payload into the system. Software products that rely on installation frameworks are vulnerable to this method since the installers are packaged in a non-updated version. Moreover, users do not usually update their installers which makes anti-malware solutions more vulnerable to DLL hijacking.

How can we fix it?
Understanding how anti-malware solutions can be an exploited as entry point for intrusions is a significant first step. To address anti-malware vulnerabilities, the next course of action is to render file manipulation attacks obsolete. Here are some steps that IT teams can take to intercept the above-mentioned attack methods:

1. Changing Access Control Lists (ACLs) before usage - When creating a directory in ProgramData, IT teams should change the DACL during each file creation operation on a directory and apply a restrictive DACL if a privileged code is accessing it. Changing the DACLs should be done in case there is a cleanup code on the uninstallation\update procedure. Failure to change the ACLs opens the directories to arbitrary delete vulnerability.

2. Correct impersonating - Make sure that the privileged process impersonation is on point throughout all code paths if files are needed to be accessed from two different security contexts. While this is easier said than done in some cases, correct impersonation will help avert misuse. IT teams can also take the other option of using two different files. By having a file that can’t be deleted, attackers will not be able to create a mount point to \RPC Control.

3. Updating Installation Framework -Updating the installed code to the latest version when writing a new installer is the best counter attack for malwares exploiting this loophole. This vulnerability class also holds for custom installers, which are not using any third-party vendors. Additionally, when installing software packages, using Windows installer is a safer option.

4. 4. Using LoadLibraryEx – Using LoadLibraryEx instead of the old LoadLibrary API allows users to specify the flag or to change the search and load order. With the option to specify behaviours, calling LoadLibraryEx, eliminate the chance of loading unsecured DLL altogether.

As organisations continue to implement strategies that will improve their overall security posture, attackers are not showing any signs of letting up. The high privilege level of security products and anti-malware solutions make them a shiny target for cybercriminals. While anti-malware solutions stand as an added layer of security, it can also be used as an attack surface. Errors and risks associated with local access privileges could lead to extensive damage to the organisation.
 
With a reliable identity and access management strategy, businesses are a step ahead in securing their critical assets.