Quarantine Flaw in Antivirus Products Allows Privilege Escalation

The malware quarantine feature in several antivirus products could have been abused by local attackers to gain administrative privileges on computers.

The issue, dubbed AVGater, was discovered by Florian Bogner, a researcher with security firm Kapsch. It exploits a user’s ability to restore suspicious files that antivirus programs have moved to quarantine.

Bogner found a method to trick several antivirus products to restore quarantined files to different directories than those they were found in. This can have serious security implications.

Depending on its settings, when an antivirus program detects a potentially malicious file, it will move that file to a secure storage called the quarantine. This feature gives users the opportunity to restore files that have been erroneously detected as malware, known as a false positive detection.

According to Bogner, a local attacker with access to a limited account on the computer could place malware in a directory the account has access to so that the antivirus product detects it and moves it to quarantine. The attacker can then use the directory junction feature of NTFS to create a symbolic link that maps the original directory to C:\Windows or another system folder.

Regular users don’t normally have the permission to write to sensitive system folders, but antivirus products do because they run with system privileges. So, the attacker can use the antivirus quarantine restore to bypass this restriction because the program will follow the NTFS junction and place the restored file in the folder chosen by the attacker instead of the original one.

This method can be combined with DLL search path hijacking, another common issue, to trick a system service or a privileged application to load a malicious DLL (Dynamic Link Library) file.

Many applications load their libraries by searching for them in different locations on the system in a certain order. So, if an attacker places a similarly named library in a location that’s checked earlier in the search path, the targeted application will load it before the legitimate one.

By combining the two techniques, an attacker can elevate their privileges, since a DLL file will execute with the privileges of the application that loaded it. To summarize: The antivirus quarantine restore trick can be used to place a malicious DLL file in a location chosen by the attacker so it gets loaded by an application or system service with higher privileges.

Bogner confirmed that antivirus products from Trend Micro, Kaspersky Lab, Malwarebytes, Emsisoft, Check Point and Ikarus were vulnerable to AVGater and have fixed the issue. However, other products that have yet to be identified might be affected as well.

“As #AVGator can only be exploited if the user is allowed to restore [a] previously quarantined file, I recommend everyone within a corporate environment to block normal users from restoring identified threats,” Bogner said in a blog post.

Malwarebytes Wins Legal Fight over PUP Classification

Endpoint security vendor Malwarebytes won a legal battle in a case brought by a company whose software products were flagged by Malwarebytes Anti-Malware (MBAM) as “potentially unwanted programs” (PUPs).

Over the years, Malwarebytes has built a strong reputation for detecting adware and other unwanted applications that many antivirus vendors miss. While not malware, PUPs are intrusive and negatively impact users’ computing experience.

Two applications detected and blocked by Malwarebytes as PUPs are SpyHunter and RegHunter, created by Enigma Software Group and marketed as anti-malware products. Enigma filed a lawsuit against Malwarebytes, claiming the company’s decision was motivated by competitive reasons, but a judge from the District Court for the Northern District of California, dismissed it.

“Sounds mundane, but the reality is that this is not only a critical win for Malwarebytes, but for all security providers who will continue to have legal protection to do what is right for their users,” said Marcin Kleczynski, Malwarebytes’ CEO, in a blog post. “This decision affirms our right to enable users by giving them a choice on what belongs on their machines and what doesn’t.”

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 46 posts and counting.See all posts by lucian-constantin