Exploiting leading antivirus software: RACK911 Labs details vulnerabilities

How an antivirus works

Antivirus programs are designed to keep your computer safe from malware and other malicious content. In order to minimize the damage that a potentially malicious file can pose to a computer, antivirus programs are designed to scan files as soon as they are installed on a computer. If they are determined to be malicious, the antivirus places them in quarantine to ensure that they cannot be executed until a user either adds an exception or authorizes deletion of the file from the computer.

In order to do its job, an antivirus requires elevated privileges on a machine. Malware can be installed anywhere on the filesystem under multiple different user accounts. Elevated privileges ensure that an antivirus has the ability to detect and deal with potential malware regardless of where it is installed.

Race condition exploitation enables antivirus shutdown

RACK911 Labs took advantage of the advanced privileges accorded to an antivirus to use them to attack themselves and the systems that they are supposed to protect. They accomplished this by taking advantage of race conditions and built-in features of the target operating system.

The potential for a race condition exists any time that multiple different execution flows are occurring in parallel. Normally, parallelization can be an asset; however, problems can occur if two different execution threads are modifying the same state. Depending on the order in which operations are performed in two or more threads, the end result of the computation can be very different.

Sponsorships Available

Sponsorships Available

Sponsorships Available

RACK911 Labs took advantage of a “time of check vs. time of use” (TOCTOU) vulnerability in most antivirus programs. In the course of protecting a machine against malicious files, an antivirus performs two operations. The first is a check in which they determine if a particular file is malicious. The second is (Read more...)